Doppelganger: An Advanced LSASS Dumper with Process Cloning
Github Repo: https://github.com/vari-sh/RedTeamGrimoire/tree/main/Doppelganger What is LSASS? The Local Security Authority Subsystem Service (LSASS) is a core component of the Windows operating system, responsible for enforcing the security policy on the system. LSASS is a process that runs as lsass.exe and plays a fundamental role in: User authentication: It verifies users logging into the system, interacting with authentication protocols such as NTLM...
Exploring the LockBit Panel Breach – What Logs and Chats Reveal About Ransomware-as-a-Service
On May 7, 2025, a number of domains associated with the LockBit ransomware group were subjected to a web defacement attack by an unknown individual. Visitors to the compromised domains encountered the following message, replacing the original website content: Don’t do crime. CRIME IS BAD. xoxo from Prague On the same page, a file named “paneldb_dump.zip” was...
Behind The Scenes: Yarix Approach to Physical Security
TL;DR: In our experience, even organizations that you'd think are really solid often have serious gaps in their physical securitys—simply because they’ve never put their defenses to the test. And those that have invested heavily in technology frequently overlook the human factor, which remains one of the weakest links. In this post, we share a practical...
Inside the Attack: The Javascript Code Behind Credit Card Theft
Introduction This paper will describe the analysis of a JavaScript script found during the activities of the Incident Response Team. The script found turned out to be designed to steal credit card data to exfiltrate sensitive information during online transactions on an e-commerce site. The script was later found to be connected to a type of...
The rise of Savastan0: a look into a growing carding marketplace
Introduction Carding is a sort of fraud in which unauthorized individuals, referred to as "carders," utilize stolen payment card information for their own benefit. This can involve not only making unlawful withdrawals and transactions, but also selling card information to other criminals in order to make money. First of all, it is useful giving a look to...
Zyxel vulnerability exploited by “Helldown” ransomware group
Introduction As Yarix's Incident Response Team, our responsibilities are to manage critical issues related to cyber-attacks carried out by cybercriminals, intervening promptly in order to guarantee security to victim companies and to minimize latent risks, analyzing the systems within their infrastructures and indicating precise remediation actions capable of re-establishing a state of security sufficient for normal...
Behind The Scenes: Yarix Approach to Mobile Security
TLDR: This article highlights the Yarix Red Team’s daily challenges and internal work done to improve the quality of our outcomes. We will explore the topic by taking the Mobile Security field as a case: we will start with the common reporting problems every red team faces day after day, as well as those arising...
Threat Actors leverage Chinese SHOPOEM Platforms to spread infamous scam campaign
Introduction As Yarix Cyber Threat Intelligence (YCTI) team, we keep a close eye on and track phishing and scam campaigns on a daily basis. Protecting the reputation and image of client companies is one of the main goals of YCTI’s Brand Abuse team. This includes determining whether and how their officially registered trademarks are being used...