نویسنده: post Bina

  • Design as Rhythm and Rebellion: The Work of Enrico Gisana

    Design as Rhythm and Rebellion: The Work of Enrico Gisana


    My name is Enrico Gisana, and I’m a creative director, graphic and motion designer.

    I’m the co-founder of GG—OFFICE, a small independent visual arts studio based in Modica, Sicily. I consider myself a multidisciplinary designer because I bring together different skills and visual languages. I work across analog and digital media, combining graphic design, typography, and animation, often blending these elements through experimental approaches. My design approach aims to push the boundaries of traditional graphic conventions, constantly questioning established norms to explore new visual possibilities.

    My work mainly focuses on branding, typography, and motion design, with a particular emphasis on kinetic typography.

    Between 2017 and 2025, I led numerous graphic and motion design workshops at various universities and art academies in Italy, including Abadir (Catania), Accademia di Belle Arti di Frosinone, Accademia di Belle Arti di Roma, CFP Bauer (Milan), and UNIRSM (San Marino). Since 2020, I’ve been teaching motion design at Abadir Academy in Catania, and since 2025, kinetic typography at CFP Bauer in Milan.

    Featured work

    TYPEXCEL — Variable font

    I designed an online half-day workshop for high school students on the occasion of an open day at the Academy of Design and Visual Communication Abadir, held in 2021.

    The goal of this workshop was to create a first contact with graphic design, but most of all with typography, using an Excel spreadsheet as a modular grid composed of editable and variable cells, instead of professional software which requires specific knowledge.

    The cell pattern allowed the students to create letters, icons, and glyphs. It was a stimulating exercise that helped them discover and develop their own design and creative skills.

    This project was published in Slanted Magazine N°40 “Experimental Type”.

    DEMO Festival

    DEMO Festival (Design in Motion Festival) is one of the world’s most prominent motion design festivals, founded by the renowned Dutch studio Studio Dumbar. The festival takes over the entire digital screen network of Amsterdam Central Station, transforming public space into a 24-hour exhibition of cutting-edge motion work from around the globe.

    I’ve had the honor of being selected multiple times to showcase my work at DEMO: in 2019 with EYE SEQUENCE; in 2022 with ALIEN TYPE and VERTICAL; and again in 2025 with ALIEN TRIBE, HELLOCIAOHALLOSALUTHOLA, and FREE JAZZ.

    In the 2025 edition, ALIEN TRIBE and HELLOCIAOHALLOSALUTHOLA were also selected for the Special Screens program, which extended the festival’s presence beyond the Netherlands. These works were exhibited in digital spaces across cities including Eindhoven, Rotterdam, Tilburg, Utrecht, Hamburg, and Düsseldorf, reaching a broader international audience.

    MARCO FORMENTINI

    My collaboration with Italian footwear designer Marco Formentini, based in Amsterdam, began with the creation of his visual identity and gradually expanded into other areas, including apparel experiments and the design of his personal website.

    Each phase of the project reflects his eclectic and process-driven approach to design, while also allowing me to explore form, texture, and narrative through different media.

    Below is a closer look at the three main outputs of this collaboration: logo, t-shirt, and website.

    Logo

    Designed for Italian footwear designer Marco Formentini, this logo reflects his broad, exploratory approach to design. Rather than sticking to a traditional monogram, I fused the letters “M” and “F” into a single, abstract shape, something that feels more like a symbol than a set of initials. The result is a wild, otherworldly mark that evokes movement, edge, and invention, mirroring Marco’s ability to shift across styles and scales while always keeping his own perspective.

    Website

    I conceived Marco Formentini’s website as a container, a digital portfolio without a fixed structure. It gathers images, sketches, prototypes, and renderings not through a linear narrative but through a visual flow that embraces randomness.

    The layout is split into two vertical columns, each filled with different types of visual content. By moving the cursor left or right, the columns dynamically resize, allowing the user to shift focus and explore the material in an intuitive and fluid way. This interactive system reflects Marco’s eclectic approach to footwear design, a space where experimentation and process take visual form.

    Website development by Marco Buccolo.

    Check it out: marco-formentini.com

    T—Shirt

    Shortly after working on his personal brand, I shared with Marco Formentini a few early graphic proposals for a potential t-shirt design, while he happened to be traveling through the Philippines with his friend Jo.

    Without waiting for a full release, he spontaneously had a few pieces printed at a local shop he stumbled upon during the trip, mixing one of the designs on the front with a different proposal on the back. An unexpected real-world test run for the identity, worn into the streets before even hitting the studio.

    Ditroit

    This poster was created to celebrate the 15th anniversary of Ditroit, a motion design and 3D studio based in Milan.

    At the center is an expressive “15”, a tribute to the studio’s founder, a longtime friend and former graffiti companion. The design reconnects the present with our shared creative roots and the formative energy of those early years.

    Silver on black: a color pairing rooted in our early graffiti experiments, reimagined here to celebrate fifteen years of visual exploration.

    Tightype

    A series of typographic animations I created for the launch of Habitas, the typeface designed by Tightype and released in 2021.

    The project explores type in motion, not just as a vehicle for content but as a form of visual expression in itself. Shapes bounce, rotate and multiply, revealing the personality of the font through rhythm and movement.

    Jane Machine

    SH SH SH SH is the latest LP from Jane Machine.

    The cover is defined by the central element of the lips, directly inspired by the album’s title. The lips not only mimic the movement of the “sh” sound but also evoke the noise of tearing paper. I amplified this effect through the creative process by first printing a photograph of the lips and then tearing it, introducing a tactile quality that contrasts with and complements the more electronic aesthetic of the colors and typography.

    Background

    I’m a creative director and graphic & motion designer with a strong focus on typography.

    My visual journey started around the age of 12, shaped by underground culture: I was into graffiti, hip hop, breakdancing, and skateboarding.

    As I grew up, I explored other scenes, from punk to tekno, from drum and bass to more experimental electronic music. What always drew me in, beyond the music itself, was the visual world around it: free party flyers, record sleeves, logos, and type everywhere.

    Between 2004 and 2010, I produced tekno music, an experience that deeply shaped my approach to design. That’s where I first learned about timelines, beats, and rhythm, all elements that today are at the core of how I work with motion.

    Art has also played a major role in shaping my visual culture, from the primitive signs of hieroglyphs to Cubism, Dadaism, Russian Constructivism, and the expressive intensity of Antonio Ligabue.

    The aesthetics and attitude of those worlds continue to influence everything I do and how I see things.

    In 2013, I graduated in Graphic Design from IED Milano and started working with various agencies. In 2014, I moved back to Modica, Sicily, where I’m still based today.

    Some of my animation work has been featured at DEMO Festival, the international motion design event curated by Studio Dumbar, in the 2019, 2022, and 2025 editions.

    In 2022, I was published in Slanted Magazine #40 (EXPERIMENTAL TYPE) with TYPEXCEL, Variable font, a project developed for a typography workshop aimed at high school students, entirely built inside an Excel spreadsheet.

    Since 2020, I’ve been teaching Motion Design at Abadir, Academy of Design and Visual Communication in Catania, and in 2025 I started teaching Type in Motion at Bauer in Milan.

    In 2021, together with Francesca Giampiccolo, I founded GG—OFFICE, a small independent visual studio based in Modica, Sicily.

    GG—OFFICE is a design space where branding and motion meet through a tailored and experimental approach. Every project grows from dialogue, evolves through research, and aims to shape contemporary, honest, and visually forward identities.

    In 2025, Francesca and I gave a talk on the theme of madness at Desina Festival in Naples, a wild, fun, and beautifully chaotic experience.

    Design Philosophy

    My approach to design is rooted in thought, I think a lot, as well as in research, rhythm, and an almost obsessive production of drafts.

    Every project is a unique journey where form always follows meaning, and never simply does what the client says.

    This is not about being contrary; it’s about bringing depth, intention and a point of view to the process.

    I channel the raw energy and DIY mindset of the subcultures that shaped me early on. I’m referring to those gritty, visual sound-driven scenes that pushed boundaries and blurred the line between image and sound. I’m not talking about the music itself, but about the visual culture that surrounded it. That spirit still fuels my creative engine today.

    Typography is my playground, not just a visual tool but a way to express structure, rhythm and movement.

    Sometimes I push letterforms to their limit, to the point where they lose readability and become pure visual matter.

    Whether I’m building a brand identity or animating graphics, I’m always exploring new visual languages, narrative rhythms and spatial poetry.

    Tools and Techniques

    I work across analog and digital tools, but most of my design and animation takes shape in Adobe Illustrator, After Effects, InDesign and Photoshop. And sometimes even Excel 🙂 especially when I want to break the rules and rethink typography in unconventional ways.

    I’m drawn to processes that allow for exploration and controlled chaos. I love building visual systems, breaking them apart and reconstructing them with intention.

    Typography, to me, is a living structure, modular, dynamic and often influenced by visual or musical rhythm.

    My workflow starts with in-depth research and a large amount of hand sketching.

    I then digitize the material, print it, manipulate it manually by cutting, collaging and intervening physically, then scan it again and bring it back into the digital space.

    This back-and-forth between mediums helps me achieve a material quality and a sense of imperfection that pure digital work often lacks.

    Inspiration

    Beyond the underground scenes and art movements I mentioned earlier, my inspiration comes from everything around me. I’m a keen observer and deeply analytical. Since I was a kid, I’ve been fascinated by people’s gestures, movements, and subtle expressions.

    For example, when I used to go to parties, I would often stand next to the DJ, not just to watch their technique, but to study their body language, movements, and micro-expressions. Even the smallest gesture can spark an idea.

    I believe inspiration is everywhere. It’s about being present and training your eye to notice the details most people overlook.

    Future Goals

    I don’t have a specific goal or destination. My main aim is to keep doing things well and to never lose my curiosity. For me, curiosity is the fuel that drives creativity and growth, so I want to stay open, keep exploring, and enjoy the process without forcing a fixed outcome.

    Message to Readers

    Design is not art!

    Design is method, planning, and process. However, that method can, and sometimes should, be challenged, as long as you remain fully aware of what you are doing. It is essential that what you create can be reproduced consistently and, depending on the project, works effectively across different media and formats. I always tell my students that you need to know the rules before you can break them. To do good design, you need a lot of passion and a lot of patience.

    Contact



    Source link

  • Try Cross-browser Testing! (For Free!)

    Try Cross-browser Testing! (For Free!)


    TLDR: You can cross-browser test your website in real browsers for free without installing anything by using Browserling. It runs all browsers (Chrome, Firefox, Safari, Edge, etc) on all systems so you don’t need to download them or keep your own browser stack.

    What Is Cross-browser Testing?

    Cross-browser testing means checking how a website looks and works in different browsers. Every browser, like Chrome, Firefox, Edge, or Safari, shows websites a little differently. Sometimes your site looks fine in one but breaks in another. Cross-browser testing makes sure your site works for everyone.

    Why Do I Need It?

    Because your visitors don’t all use the same browser. Some people are on Chrome, others on Safari or Firefox, and some still use Internet Explorer. If your site only works on one browser, you’ll lose visitors. Cross-browser testing helps you catch bugs before your users do.

    Can I Test Mobile Browsers Too?

    Yes, cross-browser testing tools like Browserling let you check both desktop and mobile versions. You can quickly switch between screen sizes and devices to see how your site looks on phones, tablets, and desktops.

    Do I Have to Install Different Browsers?

    Nope! That’s the best part. You don’t need to clutter your computer with ten different browsers. Instead, cross-browser testing runs them in the cloud. You just pick the browser you want and test right from your own browser window.

    Is It Safe?

    Totally. You’re not installing anything shady, and you’re not downloading random browsers from sketchy websites. Everything runs on Browserling’s secure servers.

    What If I Just Want to Test a Quick Fix?

    That’s exactly what the free version is for. Got a CSS bug? A weird layout issue? Just load up the browser you need, test your page, and see how it behaves.

    How Is This Different From Developer Tools?

    Dev tools are built into browsers and help you inspect your site, but they can’t show you how your site looks in browsers you don’t have. Cross-browser testing lets you actually run your site in those missing browsers and see the real deal.

    Is It Good for Developers and Testers?

    For sure. Developers use cross-browser testing to make websites look right across platforms. QA testers use it to make sure new releases don’t break old browsers. Even hobbyists can use it to make their personal sites look better.

    Is It Free?

    Yes, Browserling has a free plan with limited time per session. If you need more testing power, they also have paid options. But for quick checks, the free plan is usually enough.

    What Is Browserling?

    Browserling is a free cloud-based cross-browser testing service. It lets you open real browsers on real machines and test your sites instantly. The latest geo-browsing feature allows you to route your tests through 20+ countries to see how websites behave across regions or to bypass sites that try to block datacenter traffic. Plus, the latest infrastructure update added admin rights, WSL with Ubuntu/Kali, build tools, custom resolutions, and more.

    Who Uses Browserling?

    Browserling is trusted by developers, IT teams, schools, banks, and even governments. Anyone who needs websites to “just work” across browsers uses Browserling. Millions of people test their sites on it every month.

    Happy testing!



    Source link

  • Try Cross-browser Testing! (For Free!)

    Try Cross-browser Testing! (For Free!)


    TLDR: You can cross-browser test your website in real browsers for free without installing anything by using Browserling. It runs all browsers (Chrome, Firefox, Safari, Edge, etc) on all systems so you don’t need to download them or keep your own browser stack.

    What Is Cross-browser Testing?

    Cross-browser testing means checking how a website looks and works in different browsers. Every browser, like Chrome, Firefox, Edge, or Safari, shows websites a little differently. Sometimes your site looks fine in one but breaks in another. Cross-browser testing makes sure your site works for everyone.

    Why Do I Need It?

    Because your visitors don’t all use the same browser. Some people are on Chrome, others on Safari or Firefox, and some still use Internet Explorer. If your site only works on one browser, you’ll lose visitors. Cross-browser testing helps you catch bugs before your users do.

    Can I Test Mobile Browsers Too?

    Yes, cross-browser testing tools like Browserling let you check both desktop and mobile versions. You can quickly switch between screen sizes and devices to see how your site looks on phones, tablets, and desktops.

    Do I Have to Install Different Browsers?

    Nope! That’s the best part. You don’t need to clutter your computer with ten different browsers. Instead, cross-browser testing runs them in the cloud. You just pick the browser you want and test right from your own browser window.

    Is It Safe?

    Totally. You’re not installing anything shady, and you’re not downloading random browsers from sketchy websites. Everything runs on Browserling’s secure servers.

    What If I Just Want to Test a Quick Fix?

    That’s exactly what the free version is for. Got a CSS bug? A weird layout issue? Just load up the browser you need, test your page, and see how it behaves.

    How Is This Different From Developer Tools?

    Dev tools are built into browsers and help you inspect your site, but they can’t show you how your site looks in browsers you don’t have. Cross-browser testing lets you actually run your site in those missing browsers and see the real deal.

    Is It Good for Developers and Testers?

    For sure. Developers use cross-browser testing to make websites look right across platforms. QA testers use it to make sure new releases don’t break old browsers. Even hobbyists can use it to make their personal sites look better.

    Is It Free?

    Yes, Browserling has a free plan with limited time per session. If you need more testing power, they also have paid options. But for quick checks, the free plan is usually enough.

    What Is Browserling?

    Browserling is a free cloud-based cross-browser testing service. It lets you open real browsers on real machines and test your sites instantly. The latest geo-browsing feature allows you to route your tests through 20+ countries to see how websites behave across regions or to bypass sites that try to block datacenter traffic. Plus, the latest infrastructure update added admin rights, WSL with Ubuntu/Kali, build tools, custom resolutions, and more.

    Who Uses Browserling?

    Browserling is trusted by developers, IT teams, schools, banks, and even governments. Anyone who needs websites to “just work” across browsers uses Browserling. Millions of people test their sites on it every month.

    Happy testing!



    Source link

  • A Behind-the-Scenes Look at the New Jitter Website

    A Behind-the-Scenes Look at the New Jitter Website



    If Jitter isn’t on your radar yet, it’s a motion design tool for creative teams that makes creating animated content, from social media assets and ads to product animations and interface mockups, easy and fun.

    Think of it as Figma meets After Effects: intuitive, collaborative, and built for designers who want to bring motion into their workflows without the steep learning curve of traditional tools.

    Why We Redesigned Our Website

    Our previous site had served us well, but it also remained mostly unchanged since we launched Jitter nearly two years ago. The old website focused heavily on the product’s features, but didn’t really communicate its value and use cases. In 2025, we decided it was time for a full refresh.

    The main goal? Not just to highlight what Jitter does, but articulate why it changes the game for motion design.

    We’ve had hundreds of conversations with creative professionals, from freelancers and brand designers to agencies and startups, and heard four key benefits mentioned consistently:

    1. Ease of use
    2. Creativity
    3. Speed
    4. Collaboration

    These became the pillars of the new site experience.

    We also wanted to make room for growth: a more cohesive brand, better storytelling, real-world customer examples, and educational content to help teams get the most out of Jitter.

    Another major shift was in our audience. The first version of the website was speaking to every designer, highlighting simplicity and familiarity. But as the product evolved, it became clear that Jitter shines the most when used collaboratively across teams. The new website reflects that focus.

    Shaping Our Positioning

    We didn’t define our “how, what, and why” in isolation. Throughout 2024, we spoke to dozens of creative teams, studios, and design leaders, and listened closely.

    We used this ongoing feedback to shape the way we talk about Jitter ourselves: which problems it solves, where it fits in the design workflow, and why teams love it. The new website is a direct result of that research.

    At the same time, we didn’t want Jitter to feel too serious or corporate. Even though it’s built for teams, we aimed to keep the brand light, fun, and relatable. Motion design should be exciting, not intimidating, and we wanted that to come through in the way Jitter sounds and feels.

    Designing With Jitter

    We also walked the talk, using Jitter to design all animations and prototype every interaction across the new site.

    From menu transitions to the way cards animate on scroll, all micro-interactions were designed in Jitter. It gave us speed, clarity, and a single source of truth, and eliminated a lot of the back-and-forth in the handoff process.

    Our development partners at Antinomy Studio and Ingamana used Jitter too. They prototyped transitions and UI motion directly in the tool to validate ideas and communicate back to our team. It was great to see developers using motion as a shared language, not a handoff artifact.

    Building Together with Antinomy Studio

    The development of the new site was handled in collaboration with the talented team at Antinomy Studio.

    The biggest technical challenge was the large horizontal scroll experience on the homepage. It needed to feel natural, responsive, and smooth across devices, and maintain high performance without compromising on the visuals.

    The site was built using React and GSAP for complex, timeline-based animations and transitions.

    “The large horizontal scroll was particularly complicated and required significant responsive changes. Instead of defining overly complex timelines where screen width values would change the logic of the animation in JavaScript, we used progress values as CSS variables. This allowed us to use calc() functions to translate and scale elements, while the GSAP timeline only updates values from 0 to 1. So easy to understand and maintain!

    — Baptiste Briel, Antinomy

    We’ve promoted the use of CSS as much as possible for high performances hover effects and transitions. We’ve even used the new linear() easing functions to bring a bouncy feeling to our CSS animations.

    There’s a great tool created by Jake Archibald on generating spring-like CSS easing functions that you can paste as CSS variables. It’s so much fun to play with, and it’s also something that the Jitter team has implemented in their software, so it was super easy to review and tweak for both design and engineering teams.

    Jitter animations were exported as Lottie files and integrated directly, making the experience dynamic and lightweight. It’s a modern stack that supports our need for speed and flexibility, both in the frontend and behind the scenes.

    — Baptiste Briel, Antinomy

    What We Learned

    This redesign taught us a few valuable lessons:

    • Start with benefits, not features. Users don’t care what your product does until they understand how it can help them.
    • Design with your real audience in mind. Jitter for solo designers and Jitter for teams are two different stories. Clarifying our audience helped us craft a stronger, clearer narrative.
    • Prototyping with Jitter helped us move faster, iterate more confidently, and keep design and development in sync.

    We’ve already seen an impact: a sharper brand perception, higher engagement and conversion across all pages, and a new wave of qualified inbound leads from the best brands in the world, including Microsoft, Dropbox, Anthropic, Lyft, Workday, United Airlines, and more. And this is just the beginning.

    What’s Next?

    We see our new website as a constantly evolving platform. In the coming months, we’ll be adding more:

    • Case studies and customer stories
    • Use case pages
    • Learning resources and motion design tutorials
    • Playful experiments and interactive demos

    Our mission remains the same: to make motion design accessible, collaborative, and fun. Our website is now better equipped to carry that message forward.

    Let us know what you think, and if there’s anything you’d love to see next.

    Thanks for reading, and stay in motion 🚀

    Give Jitter a Try

    Get started with Jitter for free and explore 300+ free templates to jumpstart your next project. Once you’re ready to upgrade, get 25% off the first year of paid annual plans with JITTERCODROPS25.



    Source link

  • A Deep Dive into the UNC6040 Cyber Attack

    A Deep Dive into the UNC6040 Cyber Attack


    Executive Summary

    In early June 2025, Google’s corporate Salesforce instance (used to store contact data for small‑ and medium‑sized business clients) was compromised through a sophisticated vishing‑extortion campaign orchestrated by the threat‑group tracked as UNC6040 & UNC6240 (online cybercrime collective known as “The Com” linked to “ShinyHunters).”

    The attackers combined three core vectors:

    1. Voice‑phishing (vishing) – Impersonating IT staff in a convincing phone call, persuading a Google employee to approve a malicious application connected to Salesforce, a rapid‑reply extortion scheme demanding Bitcoin payments within 72 hrs.
    2. OAuth app abuse – the deployment of custom Python scripts that emulate Salesforce’s DataLoader, allowing automated bulk exports.
    3. Anonymity layers – Mullvad VPN‑initiated calls followed by TOR‑based data exfiltration, which anonymized the actors’ true location.

    Though Google confirmed that no user passwords were stolen, the breached dataset, included business names, email addresses, phone numbers and related notes. The implications reach far beyond the affected small and medium business customers: while associating compliance, brand integrity, partner security, and regulatory scrutiny of SaaS risk management practices.

    Meanwhile, the Salesloft Drift attack orchestrated by UNC6395 has emerged as one of the most significant cyber incidents in late 2025, which compromised the Salesloft Drift (AI chat-bot/assistant) used for its Salesforce integration. The theft of OAuth token appears to have resulted in running SOQL queries on Salesforce databases that held objects such as cases, accounts, users and opportunities. The attack affected hundreds of Salesforce customers, impacting not just Salesforce users but also other third-party integrations. Salesloft said “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords and Snowflake-related access tokens”. Google explicitly warned of the breach’s extensive scope beyond its own systems.

    Primary Tactics & Attack Vectors:

    • Initial Access: Unauthorized OAuth apps installed via trial accounts (using legitimate email domains) and later via compromised accounts from unrelated orgs.
    • Vishing, Social Engineering: Voice phishing calls to employees
    • Exfiltration: Custom Python scripts that replicate DataLoader operations.
      Infrastructure: Initial calls routed via Mullvad VPN IPs; data transfer via TOR exit nodes.
    • Extortion: Requesting immediate Bitcoin payment.

    Threat Attribution

    UNC5537, UNC6040 & UNC6240 likely linked with “Scattered LAPSUS$ Hunters” (“Chos hub”) exhibits similar attack patterns.

    A Telegram channel called “Scattered LAPSUS$ Hunters”, blending the names of ShinyHunters, Scattered Spider and Lapsus$ groups emerged, which researchers describe as a chaotic hub for leaks and threats. The group focuses in exploiting the human element to gain access to company networks. The channel ran public polls where members voted on which victim’s data to fully dump, advertised zero-day exploits and a supposed new ransomware toolkit, touting the collective’s action.

    GOOGLE - SALESFORCE BREACH

    UNC6395 shared the theme of abusing OAuth mechanisms for Salesforce access via compromised 3rd party integration – evolving their tactics against cloud ecosystems. Meanwhile, UNC6040 uses vishing and OAuth abuse to access Salesforce through social engineering. Overlapping TTPs indicate targeting trusted access applications and the name ShinyHunters appears across these incidents. Al the same time, Google tracks this cluster separately as UNC6395, ShinyHunters extortion group initially told BleepingComputer that they were behind the SalesLoft Drift attack.

    Parallel Campaigns

    Similar tactics applied in attacks targeting Adidas, Qantas, Allianz Life, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Chanel, AT&T, Santander, Starbucks Singapore, Snowflake breach at Ticketmaster, Cisco, Pandora, Bouygues Telecom, Tokopedia, Homechef, Chatbooks, Portail Orange, Farmers Insurance, TransUnion, UK Legal Aid Agency, Gucci, Salesforce, Fairhaven Homes, Workday, Mazars.fr, Adidas, Air France-KLM, Phantom Wallet, Neiman Marcus, Coca-Cola, ZScaler.

    • Qantas Airways: Employee credentials & sensitive flight/customer records targeted. Attack blended SIM swapping + SaaS compromise.
    • Air France-KLM: Airline loyalty accounts and CRM cloud environment probed.
    • Retailers (generalized set) → Used social engineering and SIM-swap vishing to gain access to IT/helpdesk portals.
    • Okta: Service provider breach led to downstream impact on multiple clients (identity federation exploited).
    • MGM Resorts: Social engineering of IT desk led to ransomware deployment, slot machines & hotel services down for days.
    • Caesars Entertainment: Extortion campaign where ransom was allegedly paid; loyalty program records got leaked.
    • AT&T: Call metadata (500M+ records, including phone numbers, call/SMS logs) stolen and advertised for sale.
    • Ticketmaster (Live Nation): ~560M customer records including event ticketing details, addresses, payment info leaked.
    • Advance Auto Parts: Data set of supply chain and retail customer info stolen.
    • Santander Bank: Customer financial records compromised; reported 30M records affected.
    • LendingTree: Customer PII and loan data exposed.
    • Neiman Marcus: Customer loyalty and credit program data targeted.
    • Los Angeles Unified School District (LAUSD): Student/employee data exfiltrated from Snowflake environment.
    • Pandora, Adidas, LVMH (Louis Vuitton, Chanel, Dior): Retail brand data exposed (customer PII + sales info).
    • ZScaler: UNC6395 compromised Salesforce instance through Salesloft Drift and steals customer data

     

     

    With the attack that involves compromise of the Salesloft Drift AI OAuth token, any data that could potentially be compromised from the databases (that held information on users, accounts, cases, etc,) can be utilized by the attacker in various ways. The stolen data could either be sold to third parties or used to access emails (as reported from a very small number of Google Workspace accounts) launch further credential-reuse attacks on other SaaS accounts.

    Indicators of Compromise:

    UNC6040, UNC6240 UNC6395
    81.17.28.95

    31.133.0.210

    45.138.16.69

    45.90.185.109

    45.141.215.19

    45.90.185.115

    45.90.185.107

    37.114.50.27

    45.90.185.118

    179.43.159.201

    38.135.24.30

    91.199.42.164

    192.159.99.74

    208.68.36.90

    44.215.108.109

    154.41.95.2

    176.65.149.100

    179.43.159.198

    185.130.47.58

    185.207.107.130

    185.220.101.133

    185.220.101.143

    185.220.101.164

    185.220.101.167

    185.220.101.169

    185.220.101.180

    185.220.101.185

    185.220.101.33

    192.42.116.179

    192.42.116.20

    194.15.36.117

    195.47.238.178

    195.47.238.83

    shinycorp@tuta[.]com

    shinygroup@tuta[.]com

    shinyhuntersgroups@tutamail[.]com

    ticket-dior[.]com

    ticket-nike[.]com

    ticket-audemarspiguet[.]com

    Salesforce-Multi-Org-Fetcher/1.0

    Salesforce-CLI/1.0

    python-requests/2.32.4

    Python/3.11 aiohttp/3.12.15

     

    In both the campaigns Google observed TOR exit nodes being used to access compromised Salesforce accounts.

    • Majority of attacks orchestrated by UNC6040 and UNC6240 (ShinyHunters) could be traced to originate from TOR exit nodes hosted either in Netherlands or Poland. These were hosted primarily at Macarne or Private Layer INC.

    • Attackers were found to blend TOR traffic with legitimate OAuth sessions to obscure origin and make detection harder. Attacks orchestrated by UNC6395 could be traced to originate from TOR exit nodes hosted either in Germany or Netherlands. These were hosted primarily at Stiftung Erneuerbare Freiheit.
    • Many suspicious SOQL queries (data exfiltration) and deletion of scheduled jobs were initiated from TOR IP addresses, indicating adversaries were anonymizing data theft operations.

    Similarly, Scattered Spider used TOR exit IPs as a cover for account takeovers and extortion activity.

    • Attackers combined vishing (helpdesk calls) with credential access, then routed subsequent access through Tor.
    • Tor traffic was especially noted when adversaries escalated privileges or accessed sensitive SaaS applications.
    • Europe-heavy nodes with a notable U.S. presence.

    Common Threads Across Both Campaigns

    • TOR IPs as operational cover was consistently used to hide adversary infrastructure.
    • Identity-based intrusions by both groups abused identity trust rather than exploiting zero-days.
    • Overlap with Scattered Spider tradecraft where both campaigns show attackers mixing social engineering or stolen credentials with TOR.
    • TOR exit nodes have different ASNs, but both campaigns leverage NL exit nodes. ASN 58087 (Florian Kolb, DE) overlaps across both the campaigns.

    Threat Landscape

    Threat actors such as UNC6040 (ShinyHunters-affiliated), Scattered Spider (UNC3944), and UNC5537 have targeted organizations in the hospitality, retail, and education sectors in the Americas and Europe.

    Scattered Spider (UNC3944) is known for sophistication and stealth:

    • Reliably uses commercial VPN services to mask origin: Mullvad VPN, ExpressVPN, NordVPN, Ultrasurf, Easy VPN, ZenMate.
    • Employs Tools and TTPs including disabling Antivirus/EDR, lateral movement via ADRecon, credential dumping with Mimikatz/LaZagne, and persistence via RMM and cloud VMs.

    “The Com”, short for The Community, is less a formal hacking group and more a sociopathic cybercriminal subculture:

    • Comprised of 1,000+ members and mostly aged 11–25, they operate across Canada, the U.S., and the U.K.
    • Engages in SIM swapping, cryptocurrency theft, swatting, sextortion, spear-phishing, and even extreme coercion or violence.
    • Intel471 reports that members are recruited via social media/gaming and coerced into crimes ranging from grooming to violent acts; the network has also issued a manual (“The Bible”) detailing techniques such as ATM skimming, IP grabbing, doxxing, extortion, and grooming.
    Source: DHS’s Joint Regional Intelligence Center and the Central California Intelligence Center

    UNC5537 orchestrated a large-scale breach targeting Snowflake customer environments:

    • In April–June 2024, accessed over 160 organizations including AT&T, Ticketmaster/Live Nation, Santander, Advance Auto Parts, LendingTree, Neiman Marcus, and LA Unified School District – via stolen credentials, often from infostealers, and constraints due to lack of MFA.
    • Data stolen included sensitive PII, event tickets, DEA numbers, and call/text metadata (500M+ records in aggregate).
    • Targets were later advertised and extorted through forums.

    DataBreaches.net received screenshots of a Telegram message from ShinyHunters claiming to outpace law enforcement, mocking capabilities of agencies like the NSA and stating: “Even the NSA can’t stop or identify us anymore. The FBI… is irrelevant and incompetent…”. In conversation, “Shiny” asserted that Scattered Spider sources voice calls and share access and hinted at a future “Snowflake 3.0” campaign, promising even greater operations ahead.

    Source: DataBreaches.Net

    Cross-Actor Victim Overlaps

    • Cloud SaaS as a hub: Salesforce (UNC6040), Okta (Scattered Spider), and Snowflake (UNC5537) breaches show pivot via cloud identity/data platforms.
    • Retail & hospitality: Multiple actors target customer/loyalty records
      • Scattered Spider targeted casinos.
      • UNC6040 targeted retailers.
      • UNC5537 targeted luxury brands.
    • Education: UNC6040 and UNC5537 both hit educational institutions, stealing student/faculty data.
    • Financial institutions: Santander (UNC5537) vs smaller fintech/payment targets by The Com/Scattered Spider (SIM swaps).

    Detection & Monitoring Guidance

    Additional indicators and associated detection rules for detecting the threat group is made available through STI and SMAP.

    What we recommend

    • Monitoring Logs
      Continuously scan for LOGIN events from unfamiliar IP ranges (especially Mullvad or TOR exit nodes). Flag any API activity exhibiting a high volume of requests every hour.
    • OAuth App Watch‑list
      Maintain a dynamic registry of approved apps. Trigger alerts on new or anomalous app registrations. Enforce a mandatory admin sign‑off workflow. The below detection rule is an example to detect suspicious signin events with OAuth:2.0:
      `SigninLogs | where ResultType == “0” | where AuthenticationDetails has “OAuth:2.0” | where AppDisplayName startswith “Salesforce” | summarize count() by UserPrincipalName, AppDisplayName, IPAddress | where count_ > 5`
    • Vishing Detection
      Implement caller‑ID verification, deploy voice‑analytics modules that detect key phrases (eg: “please pay”, “this is Google”) and cross‑reference against known threat‑intelligence feeds. Integrate with your call‑center platform to surface suspicious calls in real time.
    • Network Traffic Analysis
      Inspect outbound traffic for TOR exit nodes and VPN tunnels that deviate from corporate baselines. Use DPI to spot unusually large, encrypted payloads.
    • Threat‑Intelligence Feeds
      Subscribe to the latest ATT&CK and IOC updates for UNC6040/ShinyHunters. Monitor public Telegram channels for freshly disclosed IOCs.
    • Zero‑Trust IAM to reduce credential‑compromise impact
      MFA, least‑privilege, RBAC for all Salesforce users.
    • OAuth App Governance to stop rogue app installations
      Manual approval + periodic review
    • IP‑Based Restrictions to limit exfiltration paths
      Allow only corporate VPN IPs; block TOR exits
    • Endpoint Security to stop malicious code execution
      EDR to detect custom Python scripts
    • Call‑Center Hardening to mitigate human‑facing social engineering
      Caller‑ID verification, recorded scripts, staff training
    • Data Loss Prevention to detects anomalous data movements
      DLP on outbound exports (volume limits + alerts)
    • Strategic Initiative: SaaS Posture Management – continuous inventory & policy enforcement for third‑party integrations. Early rogue‑app detection is our key takeaway.
    • Revoke and rotate tokens/credentials: Immediately revoke OAuth tokens tied to Salesloft Drift and reset all exposed API keys.
    • Audit activity logs: Review SOQL queries and job deletions between Aug 8–18, 2025 for suspicious access.
    • Limit OAuth permissions: Enforce least privilege, review app scopes regularly, and tighten approval workflows.
    • Govern tokens: Ensure short-lived tokens, track their use, and revoke unused ones.
    • Secure stored credentials: Move AWS keys, Snowflake tokens, and other secrets out of Salesforce objects into vaults.
    • Enhance monitoring: Use UEBA to detect unusual SaaS behavior and consolidate logs across Salesforce, identity providers, and third-party apps.
    • Restrict integrations: Apply IP/network restrictions and remove untrusted apps until validated.

    Strategic Outlook

    • TTP Evolution – The ShinyHunters group hints at a potential pivot towards ransomware‑as‑a‑service (ShinySP1D3R).
    • Broader Targeting – High‑profile brands (Adidas, Qantas, Chanel, etc.) demonstrate that the same methodology can be scaled.
    • Regulatory Momentum – Expect stricter SaaS risk‑management mandates, amplifying the need for proactive controls.
    • Attribution Difficulty – Continued use of VPN/TOR & compromised third‑party accounts will heighten detection complexity; behavioral analytics will become indispensable.

    Final Note from Our Research Team

    The Google Salesforce breach is a textbook illustration of how modern threat actors blend technical supply‑chain exploitation with fast‑turnover social engineering. For organizations that rely on cloud‑native platforms, we see a critical need to:

    • Revisit SaaS integration policies – treat every third‑party app as a potential attack vector.
    • Strengthen human‑facing security – call‑center hardening and real‑time vishing detection should become a standard part of the security stack.
    • Adopt a data‑centric risk perspective – even smaller datasets can fuel large-scale phishing campaigns.
    • Our threat‑intelligence platform remains actively monitoring the ShinyHunters/Tor‑Mullvad threat chain and will update clients with emerging IOCs and risk indicators. We encourage you to integrate these insights into your defensive posture and to collaborate with our team for a tailored, intelligence‑driven response.

    Conclusion

    The Google internal Salesforce breach orchestrated by UNC6040 (“ShinyHunters”) underscores critical vulnerabilities in modern SaaS environments. The attack demonstrates that even data traditionally considered “low-sensitivity” can be weaponized for targeted phishing and extortion schemes, while also posing significant regulatory, reputational, operational, and financial risks. Organizations must adopt robust Identity & Access Management controls, enforce strict OAuth governance, and integrate comprehensive monitoring to mitigate evolving threats.

    The UNC6395 campaign highlights how third-party OAuth integrations can undermine SaaS security. By abusing trusted tokens, attackers bypassed MFA and exfiltrated sensitive data from hundreds of organizations. This attack reinforces SaaS ecosystems and not just core apps as prime targets. Strong governance over OAuth apps, token lifecycles, and SaaS behaviors is critical to reducing risk. Proactive monitoring, least privilege, and credential hygiene are essential to defending against token-based intrusions like this.

     

    Authors

    Deepak Thomas Philip

    Kartikkumar Jivani

    Sathwik Ram Prakki

    Subhajeet Singha

    Rhishav Kanjilal

    Shayak Tarafdar



    Source link

  • Measuring maintainability metrics with NDepend | Code4IT

    Measuring maintainability metrics with NDepend | Code4IT


    Keeping an eye on maintainability is mandatory for every project which should live long. With NDepend, you can measure maintainability for .NET projects.

    Table of Contents

    Just a second! 🫷
    If you are here, it means that you are a software developer.
    So, you know that storage, networking, and domain management have a cost .

    If you want to support this blog, please ensure that you have disabled the adblocker for this site.
    I configured Google AdSense to show as few ADS as possible – I don’t want to bother you with lots of ads, but I still need to add some to pay for the resources for my site.

    Thank you for your understanding.
    Davide

    Software systems can be easy to build, but hard to maintain. The more a system will be maintained, the more updates to the code will be needed.

    Structuring the code to help maintainability is crucial if your project is expected to evolve.

    In this article, we will learn how to measure the maintainability of a .NET project using NDepend, a tool that can be installed as an extension in Visual Studio.

    So, let’s begin with the how, and then we’ll move to the what.

    Introducing NDepend

    NDepend is a tool that performs static analysis on any .NET project.

    It is incredibly powerful and can calculate several metrics that you can use to improve the quality of your code, like Lines of Code, Cyclomatic Complexity, and Coupling.

    You can use NDepend in two ways: installing it on your local Visual Studio instance, or using it in your CI/CD pipelines, to generate reports during the build process.

    In this article, I’ve installed it as a Visual Studio extension. Once it is ready, you’ll have to create a new NDepend project and link it to your current solution.

    To do that, click on the ⚪ icon on the bottom-right corner of Visual Studio, and create a new NDepend project. It will create a ndproj project and attach it to your solution.

    When creating a new NDepend project, you can choose which of your .NET projects must be taken into consideration. You’ll usually skip analyzing test projects.

    Create NDepend project by selecting .NET projects to be analyzed

    Then, to run the analysis of your solution, you need to click again on that ⚪ icon and click Run analysis and generate report.

    Now you’ll have two ways to access the results. On an HTML report, like this one:

    NDepend HTML report

    Or as a Dashboard integrated with Visual Studio:

    NDepend dashboard on Visual Studio

    You will find most of the things in the HTML report.

    What is Maintainability

    Maintainability is a quality of a software system (a single application or a group of applications) that describes how easy it is to maintain it.

    Easy-to-maintain code has many advantages:

    • it allows quicker and less expensive maintenance operations
    • the system is easier to reverse-engineer
    • the code is oriented to the other devs as well as to the customers
    • it keeps the system easy to update if the original developers leave the company

    There are some metrics that we can use to have an idea of how much it is easy to maintain our software.

    And to calculate those metrics, we will need some external tools. Guess what? Like NDepend!

    Lines of code (LOC)

    Typically, systems with more lines of code (abbreviated as LOC) are more complex and, therefore, harder to maintain.

    Of course, it’s the order of magnitude of that number that tells us about the complexity; 90000 and 88000 are similar numbers, you won’t see any difference.

    Two types of LOC can be calculated: physical LOC and logical LOC.

    Physical LOC refers to the total count of lines of your code. It’s the easiest one to calculate since you can just count the lines of code as they appear.

    Logical LOC is about only the effectively executable lines of code. Spacing, comments, and imports are excluded from this count.

    Calculating LOC with NDepend

    If you want to see the LOC value for your code, you can open the NDepend HTML report, head to Metrics > Types Metrics (in the left menu), and see that value.

    This value is calculated based on the IL and the actual C# code, so it may happen that it’s not the exact number of lines you can see on your IDE. By the way, it’s a good estimation to understand which classes and methods need some attention.

    LOC value report generated by NDepend

    Why is LOC important?

    Keeping track of LOC is useful because the more lines of code, the more possible bugs.

    Also, having lots of lines of code can make refactoring harder, especially because it’s probable that there is code duplication.

    How to avoid it? Well, probably, you can’t. Or, at least, you can’t move to a lower magnitude. But, still, you can organize the code in modules with a small LOC value.

    In this way, every LOC is easily maintainable, especially if focused on a specific aspect (SRP, anyone?)

    The total LOC value won’t change. What will change is how the code is distributed across separated and independent modules.

    Cyclomatic complexity (CC)

    Cyclomatic complexity is the measure of the number of linear paths through a module.

    This formula works for simple programs and methods:

    CC = E-N+2
    

    where E is the number of Edges of the graph, while N is the number of Nodes.

    Wait! Graph?? 😱

    Yes, graphs!

    Code can be represented as a graph, where each node is a block of code.

    Take as an example this method:

    public string GetItemDescription(Item item)
    {
        string description;
        if (item == null)
            description = string.Empty;
        else
            description = item.Name + " - " + item.Seller;
    
        return description;
    }
    

    Here we have 4 nodes (N=4) and 4 edges (E=4).

    GetItemDescription described as a graph

    so

    CC = 4-4+2 = 2
    

    Again, you will not calculate CC manually: we can use NDepend instead.

    Calculating Cyclomatic Complexity with NDepend

    As described before, the first step to do is to run NDepend and generate the HTML report. Then, open the left menu and click on Metrics > Type Metrics

    Here you can see the values for Cyclomatic Complexity for every class (but you cannot drill down to every method).

    Cyclomatic complexity

    Why is CC important?

    Keeping track of Cyclomatic Complexity is good to understand the degree of complexity of a module or a method.

    The higher the CC, the harder it will be to maintain and update the module.

    We can use Cyclomatic Complexity as a lower limit for test cases. Since the CC of a method tells us about the number of independent execution paths, we can use that value to see the minimum number of tests to execute on that method. So, in the previous example, CC=2, and we need at least two tests: one for the case when item is null, and one for the case when item is not null.

    Depth of Inheritance Tree (DIT)

    Depth of Inheritance Tree (DIT) is the value of the maximum length of the path between a base class and its farther subclass.

    Take for example this simple class hierarchy.

    public class User{}
    
    public class Teacher : User { }
    
    public class Student : User { }
    
    public class AssociatedTeacher : Teacher { }
    

    It can be represented as a tree, to better understand the relationship between classes:

    User class hierarchy as a tree

    Since the maximum depth of the tree is 3, the DIT value is 3.

    How to calculate DIT with NDepend

    As usual, run the code analysis with NDepend to generate the HTML report.

    Then, you can head to Metrics > Type Metrics and navigate to the Code Members and Inheritance section to see the value of DIT of each class.

    DIT calculated with NDepend

    Why is DIT important?

    Inheritance is a good way to reduce code duplication, that’s true: everything that is defined in the base class can be used by the derived classes.

    But still, you should keep your eyes on the DIT value: if the depth level is greater than a certain amount (5, as stated by many devs), you’re probably risking to incur on possible bugs and unwanted behaviors due to some parent classes.

    Also, having such a deep hierarchy may cause your system to be hard to maintain and evolve. So, if possible, prefer composition over inheritance.

    Two words about NDepend

    For sure, NDepend is an amazing tool for static analysis. All those metrics can be really useful – if you know how to use them. Luckily, not only do they give you the values of those metrics, but they also explain them.

    In this article, I showed the most boring stuff you can see with NDepend. But you can do lots of incredible things.

    My favorites ones are:

    Instability vs Abstractness diagram, which shows if your modules are easy to maintain. The relation between Instability and Abstractness is well explained in Uncle Bob’s Clean Architecture book.

    Instability vs Abstractness diagram

    Assemblies Dependencies, which lists all the assemblies referenced by your project. Particularly useful to keep track of the OSS libraries you’re using, in case you need to update them for whichever reason (Log4J, anyone?)

    Assemblies Dependencies

    Then, the Component Dependencies Diagram, which is probably my fav feature: it allows you to navigate the modules and classes, and to understand which module depends on which other module.

    Component Dependencies Diagram

    and many more.

    BUT!

    There are also things I don’t like.

    I found it difficult to get started with it: installing and running it the first time was quite difficult. Even updating it is not that smooth.

    Then, the navigation menu is not that easy to understand. Take this screenshot:

    NDepend Menu

    Where can I find the Component Dependencies Diagram? Nowhere – it is accessible only from the homepage.

    So, the tool is incredibly useful, but it’s difficult to use (at first, obviously).

    If the NDepend team starts focusing on the usability and the UI, I’m sure it can quickly become a must-have tool for every team working on .NET. Of course, if they create a free (or cheaper) tier for their product with reduced capabilities: now it’s quite expensive. Well, actually it is quite cheap for companies, but for solo devs it is not affordable.

    Additional resources

    If you want to read more about how NDepend calculates those metrics, the best thing to do is to head to their documentation.

    🔗 Code quality metrics | NDepend

    And, obviously, have a look at that project:

    🔗 NDepend Homepage

    As I said before, you should avoid creating too many subclasses. Rather, you should compose objects to extend their behavior. A good way to do that is through the Decorator pattern, as I explained here.

    🔗 Decorator pattern with Scrutor | Code4IT

    To test NDepend I used an existing, and well-known, project, that you can see on GitHub: Clean Architecture, created by Steve Smith (aka Ardalis).

    🔗 Clean Architecture repository | GitHub

    Wrapping up

    In this article, we’ve seen how to measure metrics like Lines Of Code, Cyclomatic Complexity, and Depth of Inheritance Tree to keep an eye on the maintainability of a .NET solution.

    To do that, we’ve used NDepend – I know, it’s WAY too powerful to be used only for those metrics. It’s like using a bazooka to kill a bee 🐝. But still, it was nice to try it out with a realistic project.

    So, NDepend is incredibly useful for managing complex projects – it’s quite expensive, but in the long run, it may help you save money.

    Have you already used it?

    Do you keep track of maintainability metrics?

    Happy coding!

    🐧



    Source link

  • Recreating Palmer’s Draggable Product Grid with GSAP

    Recreating Palmer’s Draggable Product Grid with GSAP



    One of the best ways to learn is by recreating an interaction you’ve seen out in the wild and building it from scratch. It pushes you to notice the small details, understand the logic behind the animation, and strengthen your problem-solving skills along the way.

    So today we’ll dive into rebuilding the smooth, draggable product grid from the Palmer website, originally crafted by Uncommon with Kevin Masselink, Alexis Sejourné, and Dylan Brouwer. The goal is to understand how this kind of interaction works under the hood and code the basics from scratch.

    Along the way, you’ll learn how to structure a flexible grid, implement draggable navigation, and add smooth scroll-based movement. We’ll also explore how to animate products as they enter or leave the viewport, and finish with a polished product detail transition using Flip and SplitText for dynamic text reveals.

    Let’s get started!

    Grid Setup

    The Markup

    Let’s not try to be original and, as always, start with the basics. Before we get into the animations, we need a clear structure to work with — something simple, predictable, and easy to build upon.

    <div class="container">
      <div class="grid">
        <div class="column">
          <div class="product">
            <div><img src="./public/img-3.png" /></div>
          </div>
          <div class="product">
            <div><img src="./public/img-7.png" /></div>
          </div>
          <!-- repeat -->
        </div>
        <!-- repeat -->
      </div>
    </div>

    What we have here is a .container that fills the viewport, inside of which sits a .grid divided into vertical columns. Each column stacks multiple .product elements, and every product wraps around an image. It’s a minimal setup, but it lays the foundation for the draggable, animated experience we’re about to create.

    The Style

    Now that we’ve got the structure, let’s add some styling to make the grid usable. We’ll keep things straightforward and use Flexbox instead of CSS Grid, since Flexbox makes it easier to handle vertical offsets for alternating columns. This approach keeps the layout flexible and ready for animation.

    .container {
      position: fixed;
      width: 100vw;
      height: 100vh;
      top: 0;
      left: 0;
    }
    
    .grid {
      position: absolute;
      display: flex;
      gap: 5vw;
      cursor: grab;
    }
    
    .column {
      display: flex;
      flex-direction: column;
      gap: 5vw;
    }
    
    .column:nth-child(even) {
      margin-top: 10vw;  
    }
    
    .product {
      position: relative;
      width: 18.5vw;
      aspect-ratio: 1 / 1;
    
      div {
        width: 18.5vw;
        aspect-ratio: 1 / 1;
      }
    
      img {
        position: absolute;
        width: 100%;
        height: 100%;
        object-fit: contain;
      }
    }

    Animation

    Okay, setup’s out of the way — now let’s jump into the fun part.

    When developing interactive experiences, it helps to break things down into smaller parts. That way, each piece can be handled step by step without feeling overwhelming.

    Here’s the structure I followed for this project:

    1 – Introduction / Preloader
    2 – Grid Navigation
    3 – Product’s detail view transition

    Introduction / Preloader

    First, the grid isn’t centered by default, so we’ll fix that with a small utility function. This makes sure the grid always sits neatly in the middle of the screen, no matter the viewport size.

    centerGrid() {
      const gridWidth = this.grid.offsetWidth
      const gridHeight = this.grid.offsetHeight
      const windowWidth = window.innerWidth
      const windowHeight = window.innerHeight
    
      const centerX = (windowWidth - gridWidth) / 2
      const centerY = (windowHeight - gridHeight) / 2
    
      gsap.set(this.grid, {
        x: centerX,
        y: centerY
      })
    }

    In the original Palmer reference, the experience starts with products appearing one by one in a slightly random order. After that reveal, the whole grid smoothly zooms into place.

    To keep things simple, we’ll start with both the container and the products scaled down to 0.5 and the products fully transparent. Then we animate them back to full size and opacity, adding a random stagger so the images pop in at slightly different times.

    The result is a dynamic but lightweight introduction that sets the tone for the rest of the interaction.

    intro() {
      this.centerGrid()
    
      const timeline = gsap.timeline()
    
      timeline.set(this.dom, { scale: .5 })
      timeline.set(this.products, {
        scale: 0.5,
        opacity: 0,
      })
    
      timeline.to(this.products, {
        scale: 1,
        opacity: 1,
        duration: 0.6,
        ease: "power3.out",
        stagger: { amount: 1.2, from: "random" }
      })
      timeline.to(this.dom, {
        scale: 1,
        duration: 1.2,
        ease: "power3.inOut"
      })
    }

    Grid Navigation

    The grid looks good. Next, we need a way to navigate it: GSAP’s Draggable plugin is just what we need.

    setupDraggable() {
      this.draggable = Draggable.create(this.grid, {
        type: "x,y",
        bounds: {
          minX: -(this.grid.offsetWidth - window.innerWidth) - 200,
          maxX: 200,
          minY: -(this.grid.offsetHeight - window.innerHeight) - 100,
          maxY: 100
        },
        inertia: true,
        allowEventDefault: true,
        edgeResistance: 0.9,
      })[0]
    }

    It would be great if we could add scrolling too.

    window.addEventListener("wheel", (e) => {
      e.preventDefault()
    
      const deltaX = -e.deltaX * 7
      const deltaY = -e.deltaY * 7
    
      const currentX = gsap.getProperty(this.grid, "x")
      const currentY = gsap.getProperty(this.grid, "y")
    
      const newX = currentX + deltaX
      const newY = currentY + deltaY
    
      const bounds = this.draggable.vars.bounds
      const clampedX = Math.max(bounds.minX, Math.min(bounds.maxX, newX))
      const clampedY = Math.max(bounds.minY, Math.min(bounds.maxY, newY))
    
      gsap.to(this.grid, {
        x: clampedX,
        y: clampedY,
        duration: 0.3,
        ease: "power3.out"
      })
    }, { passive: false })

    We can also make the products appear as we move around the grid.

    const observer = new IntersectionObserver((entries) => {
      entries.forEach((entry) => {
        if (entry.target === this.currentProduct) return
        if (entry.isIntersecting) {
          gsap.to(entry.target, {
            scale: 1,
            opacity: 1,
            duration: 0.5,
            ease: "power2.out"
          })
        } else {
          gsap.to(entry.target, {
            opacity: 0,
            scale: 0.5,
            duration: 0.5,
            ease: "power2.in"
          })
        }
      })
    }, { root: null, threshold: 0.1 })

    Product’s detail view transition

    When you click on a product, an overlay opens and displays the product’s details.
    During this transition, the product’s image animates smoothly from its position in the grid to its position inside the overlay.

    We build a simple overlay with minimal structure and styling and add an empty <div> that will contain the product image.

    <div class="details">
      <div class="details__title">
        <p>The title</p>
      </div>
      <div class="details__body">
        <div class="details__thumb"></div>
        <div class="details__texts">
          <p>Lorem ipsum dolor, sit amet consectetur adipisicing elit...</p>
        </div>
      </div>
    </div>
    .details {
      position: absolute;
      top: 0;
      left: 0;
      width: 50vw;
      height: 100vh;
      padding: 4vw 2vw;
      background-color: #FFF;
    
      transform: translate3d(50vw, 0, 0);
    }
    
    .details__thumb {
      position: relative;
      width: 25vw;
      aspect-ratio: 1 / 1;
      z-index: 3;
      will-change: transform;
    }
    
    /* etc */

    To achieve this effect, we use GSAP’s Flip plugin. This plugin makes it easy to animate elements between two states by calculating the differences in position, size, scale, and other properties, then animating them seamlessly.

    We capture the state of the product image, move it into the details thumbnail container, and then animate the transition from the captured state to its new position and size.

    showDetails(product) {
      gsap.to(this.dom, {
        x: "50vw",
        duration: 1.2,
        ease: "power3.inOut",
      })
    
      gsap.to(this.details, {
        x: 0,
        duration: 1.2,
        ease: "power3.inOut",
      })
    
      this.flipProduct(product)
    }
    
    flipProduct(product) {
      this.currentProduct = product
      this.originalParent = product.parentNode
    
      if (this.observer) {
        this.observer.unobserve(product)
      }
    
      const state = Flip.getState(product)
      this.detailsThumb.appendChild(product)
    
      Flip.from(state, {
        absolute: true,
        duration: 1.2,
        ease: "power3.inOut",
      });
    }

    We can add different text-reveal animations when a product’s details are shown, using the SplitText plugin.

    const splitTitles = new SplitText(this.titles, {
      type: "lines, chars",
      mask: "lines",
      charsClass: "char"
    })
    
    const splitTexts = new SplitText(this.texts, {
      type: "lines",
      mask: "lines",
      linesClass: "line"
    })
    
    gsap.to(splitTitles.chars, {
      y: 0,
      duration: 1.1,
      delay: 0.4,
      ease: "power3.inOut",
      stagger: 0.025
    });
    
    gsap.to(splitTexts.lines, {
      y: 0,
      duration: 1.1,
      delay: 0.4,
      ease: "power3.inOut",
      stagger: 0.05
    });

    Final thoughts

    I hope you enjoyed following along and picked up some useful techniques. Of course, there’s always room for further refinement—like experimenting with different easing functions or timing—but the core ideas are all here.

    With this approach, you now have a handy toolkit for building smooth, draggable product grids or even simple image galleries. It’s something you can adapt and reuse in your own projects, and a good reminder of how much can be achieved with GSAP and its plugins when used thoughtfully.

    A huge thanks to Codrops and to Manoela for giving me the opportunity to share this first article here 🙏 I’m really looking forward to hearing your feedback and thoughts!

    See you around 👋



    Source link

  • Operation HanKook Phantom: APT37 Spear-Phishing Campaign

    Operation HanKook Phantom: APT37 Spear-Phishing Campaign


    Table of Contents:

    • Introduction
    • Threat Profile
    • Infection Chain
    • Campaign-1
      • Analysis of Decoy:
      • Technical Analysis
      • Fingerprint of ROKRAT’s Malware
    • Campaign-2
      • Analysis of Decoy
      • Technical analysis
      • Detailed analysis of Decoded tony31.dat
    • Conclusion
    • Seqrite Protections
    • MITRE Att&ck:
    • IoCs

    Introduction:

    Seqrite Lab has uncovered a campaign in which threat actors are leveraging the “국가정보연구회 소식지 (52호)” (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims. The attackers are distributing this legitimate-looking PDF along with a malicious LNK (Windows shortcut) file named as 국가정보연구회 소식지(52호).pdf .LNK is typically appended to the same archive or disguised as a related file. Once the LNK file is executed, it triggers a payload download or command execution, enabling the attacker to compromise the system.

    The primary targets appear to be individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers in the newsletter. The attackers likely aim to steal sensitive information, establish persistence, or conduct espionage.

    Threat Profile:

    Our investigation has identified the involvement of APT-37, also referred to as InkySquid, ScarCruft, Reaper, Group123, TEMP. Reaper, or Ricochet Chollima. This threat actor is a North Korean state-backed cyber espionage group operational since at least 2012. While their primary focus has been on targets within South Korea, their activities have also reached nations such as Japan, Vietnam, and various countries across Asia and the Middle East. APT-37 is particularly known for executing sophisticated spear-phishing attacks.

    Targets below Country:

    • South Korea
    • Japan
    • Vietnam
    • Russia
    • Nepal
    • China
    • India
    • Romania
    • Kuwait
    • Middle East

    APT-37 has been observed targeting North Korea through spear-phishing campaigns using various decoy documents. These include files such as 러시아 전장에 투입된 인민군 장병들에게.hwp” (To North Korean Soldiers Deployed to the Russian Battlefield.hwp), 국가정보와 방첩 원고.lnk” (National Intelligence and Counterintelligence Manuscript.lnk), and the most recent sample, which is analyzed in detail in this report.

    Infection Chain:

    Campaign –1:

    Analysis of Decoy:

    The document “국가정보연구회 소식지 (52호)” (“National Intelligence Research Society Newsletter—Issue 52”) is a monthly or periodic internal newsletter issued by a South Korean research group focused on national intelligence, labour relations, security, and energy issues.

    The document informs members of upcoming seminars, events, research topics, and organizational updates, including financial contributions and reminders. It reflects ongoing academic and policy-oriented discussions about national security, labour, and North-South Korea relations, considering current events and technological developments like AI.

    Threat actors leveraged the decoy document as a delivery mechanism to facilitate targeted attacks, disseminating it to specific authorities as part of a broader spear-phishing campaign. This tactic exploited trust and gained unauthorized access to sensitive systems or information.

    Targeted Government Sectors:

    • National Intelligence Research Association (국가정보연구회)
    • Kwangwoon University
    • Korea University
    • Institute for National Security Strategy
    • Central Labor Economic Research Institute
    • Energy Security and Environment Association
    • Republic of Korea National Salvation Spirit Promotion Association
    • Yangjihoe (Host of Memorial Conference)
    • Korea Integration Strategy.

    Technical Analysis:

    After downloading the LNK file named 국가정보연구회 소식지(52).pdf.lnk and executing it in our test environment, we observed the following chain of execution using Procmon.

    The LNK file contains embedded PowerShell scripts that extract and execute additional payloads at runtime.

    This script searches for .lnk files, opens them in binary mode, reads embedded payload data from them, extracts multiple file contents (including a disguised .pdf and additional payloads), writes them to disk (like aio0.dat, aio1.dat, and aio1+.3.b+la+t).

    This block reads specific binary chunks from offsets in the .lnk file:

    • Offset 0x0000102C: likely fake PDF (decoy)
    • Offset 0x0007EDC1: payload #1 (dat)
    • Offset 0x0015A851: string (commands/script)
    • Offset 0x0015AED2: another payload (aio1+3.b+la+t)

    It stores them as:

    • $pdfPath – saved as .pdf decoy
    • $exePath = dat – possibly loader binary
    • $executePath = aio1+3.b+la+t – final malicious payload

    This executes a batch script (aio03.bat) dropped in the %TEMP% folder.

    As per our analysis, the attack starts with a malicious .lnk file containing hidden payloads at specific binary offsets. When executed, PowerShell scans for such .lnk files, extracts a decoy PDF and three embedded payloads (aio1.dat, aio2.dat, and aio1+3.b+la+t), and saves them in %TEMP%. A batch script (aio03.bat) is then executed to trigger the next stage, where PowerShell reads and decodes a UTF-8 encoded script from aio02.dat and runs it in memory using Invoke-Command. This leads to the execution of aio1.dat, the final payload, completing the multi-stage infection chain.

    This PowerShell script ai02.dat represents the final in-memory execution stage of the malware chain and is a clear example of fileless execution via PowerShell with reflective DLL injection.

    It tries to open the file aio01.dat (previously dropped to %TEMP%) and reads its binary content into $exeFile byte array.

    $k=’5′

    for ($i=0; $i -lt $len; $i++) {

    $newExeFile[$i] = $exeFile[$i] -bxor $k[0]

    }

    The payload is XOR-encrypted with a single-byte key (0x35, which is ASCII ‘5’). This loop decodes the encrypted binary into $newExeFile.

    The aio02.dat file contains a PowerShell script that performs in-memory execution of a final payload (aio01.dat). It reads the XOR-encrypted binary (aio01.dat) from the %TEMP% directory, decrypts it using a single-byte XOR key (0x35), and uses Windows API functions (GlobalAlloc, VirtualProtect, CreateThread, WaitForSingleObject) to allocate memory, make it executable, inject the decoded binary, and execute it—all without dropping another file to disk.

    Detailed Analysis of the Extracted EXE file:

    Fingerprint of ROKRAT’s Malware

    The function is building a host fingerprint string set, containing:

    • Architecture flag (WOW64 or not)
    • Computer name
    • Username
    • Path to malware binary
    • BIOS / Manufacturer info

    Anti VM

    This function often checks whether the system runs in a virtual machine, sandbox, or analysis environment. In our case, it is being used with:

    “C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe”

    The function sub_40EA2C is likely used as an environment or privilege check. It tries to create and delete a randomly named .dat file in the Windows system directory, which typically requires administrative privileges. If this operation succeeds, it suggests the program is running in a real user environment with sufficient permissions. However, if it fails, it may indicate a restricted environment such as a sandbox or virtual machine used for malware analysis.

    Screenshot Capture

    The function sub_40E40B appears to capture a screenshot, process the image in memory, and possibly encode or transmit the image data.

    ROKRAT Commands

    Each command is identified by a single character. Some of the commands take arguments, and they are supplied just after the command ID character. After the correct command is determined, the code parses the statements according to the command type. The following table lists the commands we discovered in ROKRAT, together with their expected arguments and actions:

    Command 1 to 4

    The shellcode is retrieved from the C2 server and executed via CreateThread. Execution status—either “Success” or “Failed”—is logged to a file named r.txt. In parallel, detailed system information from the victim’s machine is gathered and transmitted back to the command-and-control (C&C) server.

     

    Command 5 to 9

    The malware first initializes cloud provider information, which is likely part of setting up communication with the command-and-control (C2) server. It then proceeds to download a PE (Portable Executable) file from the C2 server. The downloaded file is saved with the name KB400928_doc.exe, consistent with the naming convention used in earlier steps. Once the file is saved locally, the malware immediately executes it.

     

    Command C – Exfiltrate Files

    Searches for files in the specified file or directory path based on the provided extensions—either all files, common document types (e.g., doc, xls, ppt, txt, m4a, amr, pdf, hwp), or user-defined extensions. The located files are then uploaded to the C&C server.

    Command E – Run a Command

    Executes the specified command using cmd.exe, allowing remote execution of arbitrary system commands.

     

    Command H – Enumerate Files on Drives

    Gathers file and directory information from available drives by executing the command dir /A /S : >> “%temp%\\_.TMP”, which recursively lists all files and folders and stores the output in a temporary file.

    Command ‘i’ – Mark Data as Ready for Exfiltration

    Collected data is ready to be sent to the command and control (C2) server.

    Command ‘j’ or ‘b’ – Terminate Malware Execution

    Initiates a shutdown procedure, causing the malware to stop all operations and terminate its process.

    C2C connection

    RokRat leverages cloud services like pCloud, Yandex, and Dropbox as command and control (C2) channels. it can exfiltrate stolen data, retrieve additional payloads, and execute remote commands with minimal detection.

     

    Provider Function Obfuscated URL
    Dropbox list_folder hxxps://api.dropboxapi[.]com/2/files/list_folder
    upload hxxps://content.dropboxapi[.]com/2/files/upload
    download hxxps://content.dropboxapi[.]com/2/files/download
    delete hxxps://api.dropboxapi[.]com/2/files/delete
    pCloud listfolder hxxps://api.pcloud[.]com/listfolder?path=%s
    uploadfile hxxps://api.pcloud[.]com/uploadfile?path=%s&filename=%s&nopartial=1
    getfilelink hxxps://api.pcloud[.]com/getfilelink?path=%s&forcedownload=1&skipfilename=1
    deletefile hxxps://api.pcloud[.]com/deletefile?path=%s
    Yandex.Disk list folder (limit) hxxps://cloud-api.yandex[.]net/v1/disk/resources?path=%s&limit=500
    upload hxxps://cloud-api.yandex[.]net/v1/disk/resources/upload?path=%s&overwrite=%s
    download hxxps://cloud-api.yandex[.]net/v1/disk/resources/download?path=%s
    permanently delete hxxps://cloud-api.yandex[.]net/v1/disk/resources?path=%s&permanently=%s

     

    Campaign –2:

    Analysis of Decoy:

    Threat Actors are utilizing this document, which is a statement issued by Kim Yō-jong, the Vice Department Director of the Central Committee of the Workers’ Party of Korea (North Korea), dated July 28, and reported by the Korean Central News Agency (KCNA).

    This statement marks a sharp and formal rejection by North Korea of any reconciliation efforts from South Korea, particularly under the government of President Lee Jae-myung. It strongly criticizes the South’s attempts to improve inter-Korean relations, labelling them as meaningless or hypocritical, and asserts.

    North Korea also expressed no interest in any future dialogue or proposals from South Korea, stating that the country will no longer engage in talks or cooperation.

    The statement concluded by reaffirming North Korea’s hostile stance toward South Korea, emphasizing that the era of national unity is over, and future relations will be based on confrontation, not reconciliation.

    Targeted Government organization:

    • South Korean Government (李在明政府 – Lee Jae-myung administration)
    • Ministry of Unification (統一部)
    • Workers’ Party of Korea (朝鮮労働党中央委員会)
    • Korean Central News Agency (KCNA / 朝鮮中央通信)
    • S.–South Korea Military Alliance (韓米同盟)
    • Asia-Pacific Economic Cooperation (APEC)

    Technical Analysis:

    Upon analysing the second LNK file we found while hunting on Virus Total, we observed the same execution chain as previously seen when running the file.

    The LNK file drops a decoy document named file.doc and creates the following artifacts in the %TEMP% directory. After dropping these files, the LNK file deletes itself from the parent directory to evade detection and hinder forensic analysis.

    As observed in our previous campaign, the same set of files is also being used here. However, this time the files have been renamed—likely to random or arbitrary names—to evade detection or hinder analysis.

    Looking into the Bat file,, which is named tony33.bat,

    This appears to be highly obfuscated and contains PowerShell execution code. After decoding, the content can be seen in the snapshot below.

    The file tony32.dat contains a Base64-encoded PowerShell payload that serves as the core malicious component of the attack. The accompanying .bat/PowerShell loader is designed to read this file from the system’s temporary directory, decode its contents twice—first converting the raw bytes to a UTF-8 string, then Base64-decoding that string back into executable PowerShell code—and finally execute the decoded payload directly in memory. This fileless execution technique allows the attackers to run malicious code without writing the final script to disk, making it harder for traditional security solutions to detect or block the activity.

    Upon analysing and decoding the tony32.dat file, we observed that the file has a Base64 encoded string as below,

    After decoding the string, we have seen that the file is memory injection loader — it reads an XOR-encrypted binary from tony31.dat, decrypts it, and executes it directly in memory using Windows API calls.

    $exePath = $env:temp + ‘\tony31.dat’;

    $exeFile = Get-Content -path $exePath -encoding byte;

    Loads tony31.dat as raw bytes from the system’s Temp folder.

    $xK = ‘7’;

    for($i=0; $i -lt $len; $i++) {

        $newExeFile[$i] = $exeFile[$i] -bxor $xk[0];

    Each byte is XOR-decoded using the key 0x37 (ASCII ‘7’).

    $buffer = $b::GlobalAlloc(0x0040, $byteCount + 0x100);

    $a90234sb::VirtualProtect($buffer, $byteCount + 0x100, 0x40, [ref]$old);

    Allocates a memory buffer with executable permissions.

    • dat = Encrypted malicious executable (XOR with ‘7’)
    • The script decrypts it entirely in memory (no file drop to disk)
    • Uses direct Windows API calls to allocate and execute memory (fileless execution).

    Detailed analysis of Decoded tony31.dat:

    Upon analysis of the extracted Exe, we found that this malware acts as a dropper/launcher, downloading a file named abs.tmp in temp directory, and loading ads or drops a file named abs.tmp, and loads its contents.
    It then executes the payload through PowerShell and deletes the staging file to cover its tracks.

    Data Exfiltration

    Malware doesn’t always force its way into systems — sometimes it operates quietly, collecting sensitive data and disappearing without a trace. In this case, two functions, sub_401360 and sub_4021F0, work in tandem to execute a stealthy data exfiltration routine.

    The first function scans a specific Temp directory on the victim’s machine (C:\Users\<username>\AppData\Local\Temp\{502C2E2E-…}), identifying all non-directory files. Each discovered file path is then passed to the second function, which opens the file, reads its contents into memory, and packages it into a browser-style multipart/form-data HTTP POST request.

    Disguised as a PDF upload, the request includes the victim’s computer name and a timestamp, and is sent to a hardcoded C2 server at:

    hxxp://daily.alltop.asia/blog/article/up2.php

    Once the file is successfully exfiltrated, it is deleted from the local system, effectively erasing evidence and complicating recovery efforts. This “scan → steal → delete” workflow is designed to be covert — the network traffic mimics a legitimate Chrome file upload, complete with a WebKitFormBoundary string and a fake MIME type (application/pdf) to evade basic content filters.

    The stolen files can include cached documents, authentication tokens, downloaded content, or staging files from other malware. To detect such activity, defenders should monitor outbound HTTP POST requests to unfamiliar domains, flag inconsistencies between file extensions and MIME types, and watch for bulk deletions in Temp directories.

    Connects to C2C and tries to download payload.

    The captured packet confirms what the functions sub_4020D0 and sub_401F80 implement: the malware builds an HTTP GET request to its C2 server at daily.alltop.Asia, targeting /blog/article/d2.php?downfname=<filename>&crc32=<value> where the filename is victim-specific (e.g., abs.tmp) and the CRC value is set to zero, then sends it with realistic browser-like headers including a spoofed Chrome User-Agent, Accept, Language, and Keep-Alive to blend in with normal traffic. This request is sent via WinINet, the response (typically a short command or acknowledgment) is optionally stored in a buffer, the code sleeps briefly, and then a second request is issued to /blog/article/del2.php?delfname=<filename> without reading the reply, effectively telling the server to delete the staged file and reduce evidence. Together, these functions implement a lightweight download-and-cleanup beacon pattern that makes use of a legitimate-looking HTTP session to disguise malicious C2 communication

    C2C: hxxp://daily.alltop.asia/blog/article/d2.php?downfname=abs.tmp&crc32=0

     

    After downloading the payload, it tries to save it under a benign filename like `abs.tmp.

    Once the file is created, the program opens it using `CreateFileW`, checks its size, and allocates a buffer—rejecting files larger than 128 MB. It then reads the file’s contents into memory.

    If the file contains data, it calls `sub_402620`, which likely performs validation or DE-obfuscation—such as checking for magic bytes, verifying a checksum, or decrypting the payload.

    Upon successful validation, the program constructs a PowerShell command line. It initializes a `STARTUPINFOA` structure and a zeroed `PROCESS_INFORMATION` structure.

    The command line begins with `”powershell “` and appends an encoded or packed payload extracted from the file using `sub_401280(&CommandLine[11], nSize[1], v15, nSize[1])`. This function likely embeds the payload using techniques like Base64 encoding or inline scripting with `-EncodedCommand`.

    Finally, the program executes the PowerShell command via `CreateProcessA`, waits for 2 seconds (`Sleep(0x7D0)`), and deletes `abs.tmp` using `DeleteFileW` to clean up traces.

    Conclusion:

    The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms. The attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage.

    We have named this campaign Operation HanKook Phantom for two reasons: the term “HanKook” (한국) directly signifies that Korea in Korea, while “Phantom” represents the stealthy and evasive techniques used throughout the infection chain, including in-memory execution, disguised decoys, and hidden data exfiltration routines. This name reflects both the strategic targeting and the clandestine nature of the operation.

    Overall, Operation HanKook Phantom demonstrates the persistent threat posed by North Korean state-sponsored actors, reinforcing the need for proactive monitoring, advanced detection of LNK-based delivery, and vigilance against misuse of cloud services for command-and-control.

    Seqrite Protection:

    • Trojan.49901.GC
    • trojan.49897.GC

    MITRE Att&ck:

    Initial Access T1566.001 Spear phishing Attachment
    Execution T1059.001 Command and Scripting Interpreter: PowerShell
    T1204.001 User Execution: Malicious Link
    T1204.002 User Execution: Malicious File
    Persistence T1574.001 Hijack Execution Flow: DLL
    T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    Privilege Escalation T1055.001 Process Injection: Dynamic-link Library Injection
    T1055.009 Process Injection: Proc Memory
    T1053.005 Scheduled Task/Job : Scheduled Task
    Defense Evasion T1140 Deobfuscate/Decode Files or Information
    T1070.004 Indicator Removal : File Deletion
    T1027.009 Obfuscated Files or Information: Embedded Payloads
    T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
    Credential Access T1056.002 Input Capture: Keylogging : GUI Input Capture
    Discovery T1087.001 Account Discovery : Local Account
    T1217 Browser Information Discovery
    T1083 File and Directory Discovery
    T1082 System Information Discovery
    Collection T1123 Audio Capture
    T1005 Data from Local System
    T1113 Screen Capture
    Command and Control T1102.002 Web Service: Bidirectional Communication
    Exfiltration T1041 Exfiltration Over C2 Channel
    Impact T1529 System Shutdown/Reboot

     

    IOCs:

    MD5 File Name
    1aec7b1227060a987d5cb6f17782e76e aio02.dat
    591b2aaf1732c8a656b5c602875cbdd9 aio03.bat
    d035135e190fb6121faa7630e4a45eed aio01.dat
    cc1522fb2121cf4ae57278921a5965da *.Zip
    2dc20d55d248e8a99afbe5edaae5d2fc tony31.dat
    f34fa3d0329642615c17061e252c6afe tony32.dat
    051517b5b685116c2f4f1e6b535eb4cb tony33.bat
    da05d6ab72290ca064916324cbc86bab *.LNK
    443a00feeb3beaea02b2fbcd4302a3c9 북한이탈주민의 성공적인 남한정착을 위한 아카데미 운영.lnk
    f6d72abf9ca654a20bbaf23ea1c10a55 국가정보와 방첩 원고.lnk

    Authors: 

    Dixit Panchal
    Kartik Jivani
    Soumen Burma



    Source link

  • The First AI-Powered Ransomware & How It Works

    The First AI-Powered Ransomware & How It Works


    Introduction

    AI-powered malware has become quite a trend now. We have always been discussing how threat actors could perform attacks by leveraging AI models, and here we have a PoC demonstrating exactly that. Although it has not yet been observed in active attacks, who knows if it isn’t already being weaponized by threat actors to target organizations?

    We are talking about PromptLock, shared by ESET Research. PromptLock is the first known AI-powered ransomware. It leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. These Lua scripts are cross-platform compatible, functioning on Windows, Linux, and macOS. For file encryption, PromptLock utilizes the SPECK 128-bit encryption algorithm.

    Ransomware itself is already one of the most dangerous categories of malware. When created using AI, it becomes even more concerning. PromptLock leverages large language models (LLMs) to dynamically generate malicious scripts. These AI-generated Lua scripts drive its malicious activity, making them flexible enough to work across Windows, Linux, and macOS.

    Technical Overview:

    The malware is written in Go (Golang) and communicates with a locally hosted LLM through the Ollama API.

    On executing this malware, we will observe it to be making connection to the  locally hosted LLM through the Ollama API.

    It identifies whether the infected machine is a personal computer, server, or industrial controller. Based on this classification, PromptLock decides whether to exfiltrate, encrypt, or destroy data.

    It is not just a sophisticated sample – entire LLM prompts are in the code itself. It uses SPECK 128bit encryption algorithm in ECB mode.

    The encryption key is stored in the key variable as four 32-bit little-endian words: local key = {key[1], key[2], key[3], key[4]}. This gets dynamically generated as shown in the figure:

    It begins infection by scanning the victim’s filesystem and building an inventory of candidate files, writing the results into scan.log.

    It also scans the user’s home directory to identify files containing potentially sensitive or critical information (e.g., PII). The results are stored in target_file_list.log

    Probably, PromptLock first creates scan.log to record discovered files and then narrows this into target.log, which defines the set to encrypt. Samples also generate files like payloads.txt for metadata or staging. Once targets are set, each file is encrypted in 16-byte chunks using SPECK-128 in ECB mode, overwriting contents with ciphertext.

    After encryption, it generates ransom notes dynamically. These notes may include specific details such as a Bitcoin address (1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa) this address is the first bitcoin address ever created and ransom amount. As it is a POC, no real data is present.

    PromptLock’s CLI and scripts rely on:

    • model=gpt-oss:20b
    • com/PeerDB-io/gluabit32
    • com/yuin/gopher-lua
    • com/gopher-lfs

    It also prints several required keys in lowercase (formatted as “key: value”), including:

    • os
    • username
    • Home
    • Hostname
    • Temp
    • Sep
    • cwd

    Implementation guidance:

    – environment variables:
    username: os.getenv(“USERNAME”) or os.getenv(“USER”)
    home: os.getenv(“USERPROFILE”) or os.getenv(“HOME”)
    hostname: os.getenv(“COMPUTERNAME”) or os.getenv(“HOSTNAME”) or io.popen(“hostname”):read(“*l”)
    temp: os.getenv(“TMPDIR”) or os.getenv(“TEMP”) or os.getenv(“TMP”) or “/tmp”
    sep: detect from package.path (if contains “\” then “\” else “/”), default to “/”


    – os: detect from environment and path separator:
    * if os.getenv(“OS”) == “Windows_NT” then “windows”
    * elseif sep == “\” then “windows”  
    * elseif os.getenv(“OSTYPE”) then use that valuevir
    * else “unix”

    – cwd: use io.popen(“pwd”):read(“*l”) or io.popen(“cd”):read(“*l”) depending on OS

    Conclusion:

    It’s high time the industry starts considering such malware cases. If we want to beat AI-powered malware, we will have to incorporate AI-powered solutions. In the last few months, we have been observing a tremendous rise in such cases, although PoCs, they are good enough to be leveraged to perform actual attacks. This clearly signals that defensive strategies must evolve at the same pace as offensive innovations.

    How Does SEQRITE Protect Its Customers?

    • PromptLock
    • PromptLock.49912.GC

    IOCs:

    • ed229f3442f2d45f6fdd4f3a4c552c1c
    • 2fdffdf0b099cc195316a85636e9636d
    • 1854a4427eef0f74d16ad555617775ff
    • 806f552041f211a35e434112a0165568
    • 74eb831b26a21d954261658c72145128
    • ac377e26c24f50b4d9aaa933d788c18c
    • F7cf07f2bf07cfc054ac909d8ae6223d

     

    Authors:

    Shrutirupa Banerjee
    Rayapati Lakshmi Prasanna Sai
    Pranav Pravin Hondrao
    Subhajeet Singha
    Kartikkumar Ishvarbhai Jivani
    Aravind Raj
    Rahul Kumar Mishra

     

     



    Source link

  • Motion Highlights #12

    Motion Highlights #12



    Your latest roundup of exceptional motion design and animation, spotlighting talent from the global creative community.



    Source link