KEY TAKEAWAYS Since early March 2025, Volexity has observed multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account. Both Signal and WhatsApp are used to contact targets, inviting them to join or register for private meetings with various national European political officials or for upcoming events. Some of the social engineering campaigns seek to fool victims into clicking links hosted on Microsoft 365 infrastructure The primary tactics observed involve the attacker requesting victim’s supply Microsoft Authorization codes, which grant the attacker with account access to then join attacker-controlled devices to Entra ID (previously Azure AD), and to download emails and other account-related data. Since early March 2025, Volexity […]
Monthly Archives: April, 2025
-
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
April 22, 2025
by Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, Tom Lancaster
-
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically
April 1, 2025
by Killian Raimbaud, Paul Rascagneres
KEY TAKEAWAYS Go language (Golang) is increasing in popularity with developers of both legitimate and malicious tooling. Volexity frequently encounters malware samples written in Golang that apply obfuscators to hinder analysis. Obfuscated Golang malware samples are significantly harder to statically analyze for reverse engineers. Volexity has developed an open-source tool, GoResolver, to retrieve obfuscated functions names. GoResolver’s control-flow graph similarity techniques offer a significant advantage in recovering symbol information. In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool. The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. […]