https://www.stratosphereips.org/blog daily 0.75 2026-04-01 https://www.stratosphereips.org/blog/2026/4/1/new-slips-version-v1119-is-here monthly 0.5 2026-04-01 https://www.stratosphereips.org/blog/slips-adaptive-immunity monthly 0.5 2026-03-23 https://www.stratosphereips.org/blog/2026/3/22/slips-negative-selection-regex monthly 0.5 2026-03-25 https://www.stratosphereips.org/blog/2026/3/3/new-slips-version-v1118-is-here monthly 0.5 2026-03-03 https://www.stratosphereips.org/blog/2026/2/23/slips-ad-https-module monthly 0.5 2026-02-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/7badd73c-7aeb-40e5-bb96-450ab67c19a2/Slips+Anomaly+Detection+Example Stratosphere IPS Research Blog - HTTPS Anomaly Detection in Slips: Adaptive Baselines for Real Traffic - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2026/2/4/rethinking-cybersecurity-immunity monthly 0.5 2026-02-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/24bec5b3-480a-4575-98a1-3ac1c266f938/blog_image.jpg Stratosphere IPS Research Blog - Rethinking Cybersecurity Defense: Principles from Biological Immunity - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2026/1/25/netsecgame-a-framework-for-training-and-evaluating-ai-agents-in-network-security-environments monthly 0.5 2026-03-24 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/2c540d93-bbf5-4076-962a-6587a6397896/tui_demo_trimmed.gif Stratosphere IPS Research Blog - NetSecGame - A Framework for Training and Evaluating AI Agents in Network Security Environments - Make it stand out Example of Manual Play with Interactive TUI agent https://www.stratosphereips.org/blog/2026/1/30/new-slips-version-v1117-is-here monthly 0.5 2026-01-30 https://www.stratosphereips.org/blog/2025/12/1/new-slips-version-v1116-is-here monthly 0.5 2025-12-01 https://www.stratosphereips.org/blog/2025/10/31/new-slips-version-v1115-is-here monthly 0.5 2025-10-31 https://www.stratosphereips.org/blog/2025/10/23/ai-attackers-in-your-pocket-how-small-language-models-can-outsmart-cyber-defenses monthly 0.5 2025-10-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/6cb60af2-3666-4a00-950d-4052db6495b3/methodology.jpg Stratosphere IPS Research Blog - AI Attackers in Your Pocket: How Small Language Models Can Outsmart Cyber Defenses - Make it stand out Figure 1: Fine-tuning methodology https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1761219469728-FMO30HSVGQBUTVIFPME9/gpt4_keyactions.jpg Stratosphere IPS Research Blog - AI Attackers in Your Pocket: How Small Language Models Can Outsmart Cyber Defenses - Figure 2b: GPT-4 action transitions https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1761219469628-UMQ96JMPH5XR2BXF34VN/zephyr_ft_keyactions.jpg Stratosphere IPS Research Blog - AI Attackers in Your Pocket: How Small Language Models Can Outsmart Cyber Defenses - Figure 2a: Hackphyr action transitions https://www.stratosphereips.org/blog/2025/10/14/new-slips-version-v1114-is-here monthly 0.5 2025-10-14 https://www.stratosphereips.org/blog/2025/9/1/new-slips-version-v1113-is-here monthly 0.5 2025-09-01 https://www.stratosphereips.org/blog/2025/7/31/new-slips-version-v1112-is-here monthly 0.5 2025-07-31 https://www.stratosphereips.org/blog/2025/7/3/new-slips-version-v1111-is-here monthly 0.5 2025-07-03 https://www.stratosphereips.org/blog/2025/6/5/how-well-do-llms-perform-on-a-raspberry-pi-5 monthly 0.5 2025-06-05 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/426d73a2-7117-4ea9-a578-92aa68c65275/table-1.png Stratosphere IPS Research Blog - How Well Do LLMs Perform on a Raspberry Pi 5? - Make it stand out Table 1: A quick comparison of engines tested on the Raspberry Pi 5 for LLM performance, covering CPU quantization, speed, memory usage, and notes on suitability. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/c136049a-9511-4d6e-b182-8e2074441076/table-2.png Stratosphere IPS Research Blog - How Well Do LLMs Perform on a Raspberry Pi 5? - Make it stand out Table 2: This table compares various LLM models tested on the Raspberry Pi 5, highlighting disk size, RAM usage, tokens per second performance, and quantization methods. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/9b8c54d9-f4be-4b80-9126-723dabf1e46e/fig-1-models_heatmap_rpi5_Q4.jpeg Stratosphere IPS Research Blog - How Well Do LLMs Perform on a Raspberry Pi 5? - Make it stand out Figure 1: This heatmap compares the performance of different LLM models on the Raspberry Pi 5, highlighting their pass rates across various promptfoo tasks. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a7ad115d-5e80-4bf2-93c0-13036f71d80a/fig-2-perf_test_model.jpeg Stratosphere IPS Research Blog - How Well Do LLMs Perform on a Raspberry Pi 5? - Make it stand out Figure 2: This bar chart shows the best-performing models for each promptfoo test on the Raspberry Pi 5, comparing overall best scores and best scores for models with speeds above 8 tokens per second (TPS). https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1a144de6-c2fd-4e5e-91df-85912bae6da2/figure-3-models_score.jpeg Stratosphere IPS Research Blog - How Well Do LLMs Perform on a Raspberry Pi 5? - Make it stand out This bar chart illustrates the overall performance scores of various LLM models tested on the Raspberry Pi 5 using promptfoo tasks, highlighting their relative effectiveness. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a32a489b-233d-49e5-bb24-bfcd2f6a3b79/figure-4-trade_off.jpeg Stratosphere IPS Research Blog - How Well Do LLMs Perform on a Raspberry Pi 5? - Make it stand out Figure 4: This scatter plot shows the trade-off between performance scores and tokens-per-second (TPS) of different LLM models on the Raspberry Pi 5. Circle sizes represent RAM usage, highlighting the balance between performance and resource demands. https://www.stratosphereips.org/blog/2025/6/5/guest-post-a-graph-based-approach-to-cyber-threat-intelligence monthly 0.5 2025-06-05 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/f910647d-a1ef-45f8-8702-cf024d48836c/fig0.png Stratosphere IPS Research Blog - Guest Post: A Graph-Based Approach to Cyber Threat Intelligence - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/7ad68d7f-5a44-4ac3-a80a-7156bb8f5e53/fig1.png Stratosphere IPS Research Blog - Guest Post: A Graph-Based Approach to Cyber Threat Intelligence - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/f1198760-324b-4753-b2d9-cc5ac844ce66/fig2.png Stratosphere IPS Research Blog - Guest Post: A Graph-Based Approach to Cyber Threat Intelligence - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/b92876cc-d1f8-45bc-ae21-76374cd58359/fig3.png Stratosphere IPS Research Blog - Guest Post: A Graph-Based Approach to Cyber Threat Intelligence - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/0ff32e2c-cbcf-4852-b382-6efc603d22d1/fig4.png Stratosphere IPS Research Blog - Guest Post: A Graph-Based Approach to Cyber Threat Intelligence - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2025/6/5/exploring-llms-for-cybersecurity-our-icaart-2024-extension-paper monthly 0.5 2025-06-05 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a8658e38-620c-4c17-a67a-8b4e436f78fc/fig1-react_agent-drawio.png Stratosphere IPS Research Blog - Exploring LLMs for Cybersecurity: Our ICAART 2024 Extension Paper - Make it stand out Fig 1: The ReAct agent prompt structure and workflow [19]. The prompt at each stage consists of several components marked with different colors. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/578d9766-68ea-4faa-8412-a992484f42dd/fig2-Design+of+RL+for+Agents+and+Game+Environment.jpg Stratosphere IPS Research Blog - Exploring LLMs for Cybersecurity: Our ICAART 2024 Extension Paper - Make it stand out Fig 2: Setup of both NetSecGame topology versions: small scenario with the blue parts and full scenario in green https://www.stratosphereips.org/blog/2025/5/26/new-slips-version-v1110-is-here monthly 0.5 2025-05-26 https://www.stratosphereips.org/blog/2025/4/30/new-slips-version-v119-is-here monthly 0.5 2025-04-30 https://www.stratosphereips.org/blog/2025/3/31/new-slips-version-v118-is-here monthly 0.5 2025-03-31 https://www.stratosphereips.org/blog/2025/2/28/new-slips-version-v117-is-here monthly 0.5 2025-02-28 https://www.stratosphereips.org/blog/2025/2/24/introducing-aracne-a-new-llm-based-shell-pentesting-agent monthly 0.5 2025-02-27 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/f29b6dc9-45bb-457b-89b4-fb017c355f74/Screenshot+2025-02-24+at+22.38.51.png Stratosphere IPS Research Blog - Introducing ARACNE, a new LLM-based shell pentesting agent - Make it stand out Figure 1: ARACNE connection diagram. The execution begins when the user provides a goal. The Organizer module then passes it to the Planner module. Afterward, the Planner module generates an attack plan which is then passed to the Interpreter module. The result of the Interpreter module is a Linux terminal command, which the Organizer module then executes in the SSH. Then, the Organizer module retrieves the output of the command and stores it along with the previous plan, the command itself, and the goal into a context file. This file’s content is then passed either to the Planner module or to the Summarizer module, depending on whether summarizing is enabled or not. The Summarizer module’s actions are described in the following paragraphs. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/0d4a1ad5-bb9a-43b0-a5f3-5db12280a805/Screenshot+2025-02-24+at+22.43.55.png Stratosphere IPS Research Blog - Introducing ARACNE, a new LLM-based shell pentesting agent - Make it stand out Figure 2: Function that handles the SSH connection. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1b4421b6-0f0c-4d7a-ae44-b0f0419f1ea5/Screenshot+2025-02-24+at+22.49.06.png Stratosphere IPS Research Blog - Introducing ARACNE, a new LLM-based shell pentesting agent - Make it stand out Table 1: Results of the attacks without enabling the Summarizer https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1c87626d-534a-4f2a-b219-aba3bf318142/Screenshot+2025-02-24+at+22.49.13.png Stratosphere IPS Research Blog - Introducing ARACNE, a new LLM-based shell pentesting agent - Make it stand out Table 2: Results of the attacks with the Summarizer enabled https://www.stratosphereips.org/blog/2025/1/31/new-slips-version-v116-is-here monthly 0.5 2025-01-31 https://www.stratosphereips.org/blog/2025/1/3/new-slips-version-v115-is-here monthly 0.5 2025-01-03 https://www.stratosphereips.org/blog/2024/11/29/new-slips-version-v114-is-here monthly 0.5 2024-11-29 https://www.stratosphereips.org/blog/2024/10/31/new-slips-version-v113-is-here monthly 0.5 2024-10-31 https://www.stratosphereips.org/blog/2024/10/30/aip-v300-is-here monthly 0.5 2024-10-30 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/c10be670-1e22-4ace-b53e-272c797cc19b/AIP_Diagram.png Stratosphere IPS Research Blog - AIP v3.0.0 is Here! - Make it stand out AIP takes incoming network attacks captured by Zeek, processes the data, and each model will generate its own blocklist prioritising a specific aspects of the incoming attacks. https://www.stratosphereips.org/blog/2024/9/30/new-slips-version-v112-is-here monthly 0.5 2024-09-30 https://www.stratosphereips.org/blog/2024/9/4/27l2z8pfpxhkszjac6h8udwlax6c50 monthly 0.5 2024-09-04 https://www.stratosphereips.org/blog/2024/9/3/introduction-to-security-online monthly 0.5 2024-09-03 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1725363208344-PEYVYAC7SEZE9HO7G9XI/unsplash-image-_HEqJviJ7KY.jpg Stratosphere IPS Research Blog - Czech Technical University in Prague’s "Introduction to Security" Class is now a Free Online Course! - Easily one of the best subjects I’ve studied at FEE "Nice class offering a lot of hands-on experience and fun assignments. Easily one of the best subjects I’ve studied at FEE." - OI MSc Cybersecurity https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1725363273928-WLEUSEXYLH0UIV5DJGUC/unsplash-image-ZnOqBzHaDVQ.jpg Stratosphere IPS Research Blog - Czech Technical University in Prague’s "Introduction to Security" Class is now a Free Online Course! - The most well-prepared course I've taken so far This was undoubtedly the most well-prepared course I've taken so far, including through my bachelor's degree. The classes were highly practical, with almost every concept being not only taught but also demonstrated. Ensuring that everyone had the opportunity to replicate the learning experience was a priority. https://www.stratosphereips.org/blog/2024/8/27/towards-better-understanding-of-cybercrime-the-role-of-fine-tuned-llms-in-translation monthly 0.5 2024-08-27 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/594d58ff-8c79-4fa6-8046-442eb59d680d/Screenshot+2024-08-27+at+17.57.27.png Stratosphere IPS Research Blog - Towards Better Understanding of Cybercrime: The Role of Fine-Tuned LLMs in Translation - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2024/7/31/new-slips-version-v11-is-here monthly 0.5 2024-07-31 https://www.stratosphereips.org/blog/2024/7/16/best-short-paper-award-at-adampd-workshop-euro-sampp monthly 0.5 2024-07-16 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/f96197e1-06d9-4aab-a266-836c0908f418/IMG-20240709-WA0009.jpg Stratosphere IPS Research Blog - Best Short Paper Award at AD&D Workshop EURO S&P! - Make it stand out Workshop Chair, Emmanouil Vasilomanolakis, Technical University of Denmark (left); Muris Sladić, Czech Technical University in Prague (center); Sebastian Garcia, Czech Technical University in Prague (right) https://www.stratosphereips.org/blog/2024/7/16/shoutout-to-nlnet-foundation-our-continuous-supporter monthly 0.5 2024-07-16 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/068bebf9-536d-4971-962f-2498073a56c6/NLnet_Foundation_logo.svg.png Stratosphere IPS Research Blog - Shoutout To NLnet Foundation, Our Continuous Supporter! - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2024/7/3/google-summer-of-code-2024-in-stratosphere-blog-for-the-first-month-of-sekhar-kumar-dash monthly 0.5 2024-07-03 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/8ecaabdb-6c17-4210-9b23-267ad6ccdfce/b7830459-320a-49fa-947b-d9662a42482f.jpeg Stratosphere IPS Research Blog - Google Summer Of Code 2024 In Stratosphere. Blog for the first month of Sekhar Kumar Dash - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2024/6/14/new-slips-version-v1015-is-here monthly 0.5 2024-06-14 https://www.stratosphereips.org/blog/2024/5/31/introducing-stratocyberlab-local-cyber-range-with-ai-assistant monthly 0.5 2024-05-31 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/5f9cf150-95d4-4d0c-b059-8769799508c5/image+%285%29.jpg Stratosphere IPS Research Blog - Introducing StratoCyberLab: A Local Cyber Range To Help You Get Your Cyber Skills to The Next Level - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/c6ed18cf-01bd-4a8a-a486-f3024a120c53/image+%285%29.jpg Stratosphere IPS Research Blog - Introducing StratoCyberLab: A Local Cyber Range To Help You Get Your Cyber Skills to The Next Level - Help On Your Journey The Assistant AI helps and facilitates your learning through your cybersecurity journey. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/5f86a2cc-e3ca-4bc9-8421-3170c8575b43/image+%285%29.jpg Stratosphere IPS Research Blog - Introducing StratoCyberLab: A Local Cyber Range To Help You Get Your Cyber Skills to The Next Level Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2024/5/15/new-slips-version-v1014-is-here monthly 0.5 2024-05-15 https://www.stratosphereips.org/blog/2024/4/16/new-slips-version-v1013-is-here monthly 0.5 2024-04-16 https://www.stratosphereips.org/blog/2024/3/15/new-slips-version-v1012-is-here monthly 0.5 2024-03-15 https://www.stratosphereips.org/blog/2024/3/4/participation-in-icaart-2024-rome monthly 0.5 2024-03-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/979d3803-b26d-42b1-92df-df8b49cec320/ootc_1.jpeg Stratosphere IPS Research Blog - Participation in ICAART 2024, Rome - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/e3f327a8-cccf-4dff-a824-bc76a6eb6388/ootc2.jpeg Stratosphere IPS Research Blog - Participation in ICAART 2024, Rome - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/fad19a67-fbb3-4674-a1b1-21eb279239a5/image+%284%29.png Stratosphere IPS Research Blog - Participation in ICAART 2024, Rome - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2024/2/29/announcing-google-summer-of-code-2024-participation monthly 0.5 2024-02-29 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1bcd1750-7d91-4387-a4b1-bbe228e57b2d/strato-gsoc.png Stratosphere IPS Research Blog - Announcing Google Summer of Code 2024 Participation! - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/7495a824-c954-4c61-a614-5572b742e312/mentors-gsoc.png Stratosphere IPS Research Blog - Announcing Google Summer of Code 2024 Participation! - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2024/2/23/analysis-and-understanding-of-malware-of-the-pyration-family monthly 0.5 2024-02-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/69f0fac6-4fb0-45d0-8cf3-b6717a3a80eb/figure1.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 1: Unzipping the .zip file of the original malware https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a1559153-ebdb-4640-8a5e-39c3c6405959/figure2.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 2: Extracting the contents of the file https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/e806b05d-204b-43d0-ba7e-a4ebcf6dcb96/figure3.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 3: Creating a directory for decompiled files https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/14844f5c-fb4d-4b9b-b7c6-c4b51424bd11/figure4.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 4: Function in charge of taking screenshots in the bot https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a938f2cb-9a33-428e-a5b1-4958b6db564a/figure5.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 5: Detect if the OS is Windows or not https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/3d2f0088-7b99-4499-9554-52df74533478/figure6.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 6: Antivirus detector for macOS. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/df6e9348-f09d-4d35-beb2-de963cc9eeda/figure7.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 7: A loop that sends the key log to the server. App.KEYLOG_SECONDS_TO_LOOP_SLEEP = 60 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/7afb2abe-91f0-46b2-8e7d-d34301b56ac0/figure8.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 8: Both the first and second functions in the bot to manage files. One to download files from the server and one to write new ones. Both work locally. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/5c90a19c-fe47-48e0-b27f-49b43aac2f15/figure9.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 9: Function used for anonymous browsing. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/e4c17a28-e381-47e0-b85d-48fff73c8ad2/figure10.png Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 10: Function responsible for command execution. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/d751d621-d9e1-4ad1-8fca-67c8fd6b1502/figure11.jpg Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - Make it stand out Figure 11: Diagram of all functions and features in the client-side code. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/dffd348e-be13-4204-9a3f-1f62c26cab48/author.jpg Stratosphere IPS Research Blog - Analysis and understanding of malware of the PyRation family - About the Author My name is Tomas Nieponice, I'm a 16-year-old high school student from Argentina. Since early in my life I have been interested in technology and software. I am a professional Rubik’s cube solver and astronomy student. https://www.stratosphereips.org/blog/2024/2/15/new-slips-version-v1011-is-here monthly 0.5 2024-02-15 https://www.stratosphereips.org/blog/2024/1/15/new-slips-version-v1010-is-here monthly 0.5 2024-01-15 https://www.stratosphereips.org/blog/2023/12/18/new-slips-version-v109-is-here monthly 0.5 2023-12-18 https://www.stratosphereips.org/blog/2023/11/16/new-slips-version-v108-is-here monthly 0.5 2023-11-16 https://www.stratosphereips.org/blog/2023/10/9/use-case-uptimerobot-amp-stratosphere-iot-laboratory monthly 0.5 2023-10-09 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/269cd054-287a-4057-a55d-854c95f667fe/uptimerobot-1.png Stratosphere IPS Research Blog - Use Case: UptimeRobot & Stratosphere IoT Laboratory - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/bd1db0e5-486d-44e7-b7be-768e34b262db/uptimerobot-3.png Stratosphere IPS Research Blog - Use Case: UptimeRobot & Stratosphere IoT Laboratory - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2023/9/15/new-slips-version-v107-is-here monthly 0.5 2023-09-15 https://www.stratosphereips.org/blog/2023/9/10/llm-in-the-shell-generative-honeypots-at-esorics-2023-poster-session monthly 0.5 2023-10-09 https://www.stratosphereips.org/blog/2023/9/10/stratospheres-slips-and-the-ai-vpn-to-appear-at-black-hat-europe-2023-arsenal monthly 0.5 2023-09-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1f7b8ee5-cf71-49f4-ba6f-11788428b3b5/Screenshot+2023-09-10+at+11.23.42.png Stratosphere IPS Research Blog - Stratosphere's Slips and the AI VPN to appear at Black Hat Europe 2023 Arsenal! - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2023/8/4/generating-your-own-blocklists-with-the-stratosphere-aip-framework monthly 0.5 2023-08-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a6a1dcb7-61fb-4ab9-93bb-ff98774afaa0/Stratosphere+Blocklist+Generation+Project+-+Simplified+pipeline.jpg Stratosphere IPS Research Blog - Generating Your Own Blocklists with the Stratosphere AIP Framework - Make it stand out Figure 1 - Simplified diagram of the AIP framework process from data ingestion to feed generation. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/5f309814-c1bb-41ad-b4d8-75bab819105f/digital-ocean-min-requirements.png Stratosphere IPS Research Blog - Generating Your Own Blocklists with the Stratosphere AIP Framework - Make it stand out Figure 2 - Digital Ocean droplet for this guide is a 1GB 1CPU droplet, with a regular SSD, of 25GB storage. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a3ed000d-0fcb-40b2-b12f-fbff4ffc0fa1/zeek-data.png Stratosphere IPS Research Blog - Generating Your Own Blocklists with the Stratosphere AIP Framework - Make it stand out Figure 3 - Directory with the Zeek logs output with 3 days of data. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/3cb574ce-13b6-4515-be9e-325e045d854d/aip-runs-through-docker.png Stratosphere IPS Research Blog - Generating Your Own Blocklists with the Stratosphere AIP Framework - Make it stand out Figure 4 - AIP running as a docker container builds the attack metrics based on Zeek input data. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/4c8ad62f-e6e2-4688-873a-afafd34015c4/aip-generated-data-output.png Stratosphere IPS Research Blog - Generating Your Own Blocklists with the Stratosphere AIP Framework - Make it stand out Figure 5 - AIP writes data in the data/output folder where all the output blocklists can be found https://www.stratosphereips.org/blog/2023/8/2/google-summer-of-code-updates-from-week-9-july-24th-to-july-28th monthly 0.5 2023-08-02 https://www.stratosphereips.org/blog/2023/7/30/introducing-collectress-consistent-threat-intelligence-feed-collection-and-storage monthly 0.5 2023-07-30 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/d7f27d21-83a7-440d-a75b-9dfe0ff56234/collectress.png Stratosphere IPS Research Blog - Introducing Collectress: Consistent Threat Intelligence Feed Collection and Storage - Make it stand out Collectress is a free software tool developed by Stratosphere: https://github.com/stratosphereips/collectress https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/381eaf2f-45d8-4dc4-80ae-d1f9d597f5e5/collectress-2.png Stratosphere IPS Research Blog - Introducing Collectress: Consistent Threat Intelligence Feed Collection and Storage - Make it stand out Figure 1 - Collectress downloading 43 threat intelligence feeds, featuring a simple progress bar. https://www.stratosphereips.org/blog/2023/7/26/google-summer-of-code-updates-from-week-8-july-17th-to-july-21th monthly 0.5 2023-07-26 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/b638abc6-b433-4299-85cf-f0f31076f00b/Screenshot+2023-07-26+at+9.23.43.png Stratosphere IPS Research Blog - Google Summer of Code Updates from Week #8 (July 17th to July 21th) - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2023/7/18/google-summer-of-code-updates-from-week-7-july-10th-to-july-14th monthly 0.5 2023-07-18 https://www.stratosphereips.org/blog/2023/7/14/slips-and-the-ai-vpn-presented-at-the-20th-dimva-tool-arsenal-in-hamburg-germany monthly 0.5 2023-07-14 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/609326cd-1130-4563-9377-8d7b47b90a18/IMG_6536.jpg Stratosphere IPS Research Blog - Slips and the AI VPN presented at the 20th DIMVA Tool Arsenal in Hamburg, Germany - Make it stand out Veronica Valeros (left) in the kick off of the arsenal ready to present the AI VPN at DIMVA 2023. https://www.stratosphereips.org/blog/2023/7/11/google-summer-of-code-updates-from-week-6-59cg8-pydmd monthly 0.5 2023-07-11 https://www.stratosphereips.org/blog/2023/7/11/google-summer-of-code-updates-from-week-5-59cg8 monthly 0.5 2023-07-11 https://www.stratosphereips.org/blog/2023/7/11/google-summer-of-code-updates-from-week-4-gjjkx monthly 0.5 2023-07-11 https://www.stratosphereips.org/blog/2023/7/10/the-world-of-malicious-ips-creating-blocklists-from-honeypot-traffic monthly 0.5 2024-10-30 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/f2c752af-a5f0-47b3-80dd-9b71a78184d3/plot1.png Stratosphere IPS Research Blog - The World of Malicious IPs: Creating Blocklists from Honeypot Traffic. - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/3a2ec487-5ff2-40cf-8c00-36e923ae77a3/plot2.png Stratosphere IPS Research Blog - The World of Malicious IPs: Creating Blocklists from Honeypot Traffic. - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2023/6/30/new-slips-version-v106-is-here monthly 0.5 2023-06-30 https://www.stratosphereips.org/blog/2023/6/21/google-summer-of-code-updates-from-week-3 monthly 0.5 2023-07-05 https://www.stratosphereips.org/blog/2023/6/20/google-summer-of-code-updates-from-week-2 monthly 0.5 2023-06-21 https://www.stratosphereips.org/blog/2023/6/6/google-summer-of-code-updates-from-week-1 monthly 0.5 2023-06-20 https://www.stratosphereips.org/blog/2023/5/30/new-slips-version-v105-is-here monthly 0.5 2023-05-30 https://www.stratosphereips.org/blog/2023/5/8/new-slips-version-v104-is-here monthly 0.5 2023-05-08 https://www.stratosphereips.org/blog/2023/5/5/announcing-google-summer-of-code-2023-projects monthly 0.5 2023-05-05 https://www.stratosphereips.org/blog/2023/3/31/new-slips-version-103-is-here monthly 0.5 2023-05-02 https://www.stratosphereips.org/blog/2023/2/28/new-slips-version-102-is-here monthly 0.5 2023-05-02 https://www.stratosphereips.org/blog/2023/1/31/new-slips-version-101-is-here monthly 0.5 2023-05-02 https://www.stratosphereips.org/blog/2023/1/26/winer-conti-award monthly 0.5 2023-01-26 https://www.stratosphereips.org/blog/2022/12/8/installing-h0neytr4p-in-the-cloud monthly 0.5 2022-12-19 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/b42604a5-9638-402e-a3a1-b4aa74c4e6ac/Step+2+-+Select+the+option+to+create+a+new+droplet.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 2: Select the option to create a new droplet https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/07cf703d-2d03-41cb-b885-4650871e9853/Step+3+-+Selecting+the+base+image+for+the+honeypot Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 3: Selecting the base image for the honeypot https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/e40ff345-5abb-41fa-8b84-c7886caab2e9/Screenshot+2022-12-08+at+19.15.34.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 4: Selecting the server specs (memory, CPU, storage, etc) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/fcd8f4b2-43ca-41a0-bd19-7283b6065104/Screenshot+2022-12-08+at+19.15.47.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 5: Selecting the region of the cloud server https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/a6f0fcad-2767-4ad1-acb1-44ad712bb872/Screenshot+2022-12-08+at+19.16.18.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 6: Select the authentication method: SSH Key or Password. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/745b7ee4-1f1f-499d-ad18-0204905c6961/Screenshot+2022-12-08+at+19.16.35.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 7: Select the number of droplets to create and a hostname for the droplet. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/006adc5a-00f4-46b1-8e8d-56dd14d5a9fd/Screenshot+2022-12-08+at+19.21.47.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 8: Select create droplet to start instantiating the new cloud server https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/c7f8268e-80d3-4f12-8675-f3cbe44d3ea3/Screenshot+2022-12-08+at+19.23.26.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 9: Login to the newly created cloud server using SSH using the information provided in the previous steps and the assigned IP address visible from the account dashboard. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/3b439754-ebc3-4631-9a5a-85b0d11a25f0/Screenshot+2022-12-08+at+19.26.30.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Step 10: Successful login into the new cloud server https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/74bdae54-c315-4d9f-8cc1-4519912b5566/h0neytr4p_1.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/ea44a39d-0c0d-43e3-809a-8359226892ad/h0neytr4p_1.2.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/c3df5654-fdc4-45b1-a7c3-4056fbe42515/h0neytr4p_4.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/868e817d-1c67-4bd9-8c08-2495e9e42136/h0neytr4p_5.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/8dc66cda-b360-4614-9d2a-f79cd22b8fa4/h0neytr4p_2.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/eccaf143-b48f-474e-8249-e4478ff7ccd1/h0neytr4p_3.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/08c23275-d654-4874-a3aa-6cc736643d80/Screenshot+2022-12-08+at+19.38.16.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/22f27ae8-023e-4f08-ac69-75f7af78eb7d/h0neytr4p_7.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/c114f36c-a3ec-4c6c-aac2-9808cb78850e/Screenshot+2022-12-19+at+20.47.19.png Stratosphere IPS Research Blog - Installing h0neytr4p honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2022/12/2/new-slips-version-100-is-here monthly 0.5 2023-05-02 https://www.stratosphereips.org/blog/2022/11/11/new-slips-version-096-is-here monthly 0.5 2023-05-02 https://www.stratosphereips.org/blog/2022/8/30/new-slips-version-095-is-here monthly 0.5 2022-08-31 https://www.stratosphereips.org/blog/2022/7/31/new-slips-version-093-is-here monthly 0.5 2023-05-02 https://www.stratosphereips.org/blog/2022/7/19/slips-in-blackhat-us-2022-arsenal-in-las-vegas monthly 0.5 2022-07-19 https://www.stratosphereips.org/blog/2022/7/5/new-slips-version-092-is-here monthly 0.5 2022-07-14 https://www.stratosphereips.org/blog/2022/6/6/writing-a-slips-module monthly 0.5 2022-07-14 https://www.stratosphereips.org/blog/2022/6/6/new-slips-version-091-is-here monthly 0.5 2022-07-14 https://www.stratosphereips.org/blog/2022/5/3/installing-glutton-honeypot-in-the-cloud monthly 0.5 2022-05-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/ca76a7eb-eaa1-4806-ba13-c090525ca800/create-dropplet-0.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 2: Select the option to create a new droplet https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/725cc128-d528-495a-b357-3538994cb0ab/Screenshot+2022-05-03+at+15.27.40.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 3: Selecting the base image for the honeypot https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/e6d3d216-60b5-4d45-af0a-95076838a1f6/Screenshot+2022-05-03+at+15.27.50.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 4: Selecting the server specs (memory, CPU, storage, etc) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/dfbef166-68c0-4390-8492-67f431fcab27/Screenshot+2022-05-03+at+15.28.05.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 5: Selecting the region of the cloud server https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/13ea0865-714f-4b46-88ee-115466b7de12/Screenshot+2022-05-03+at+15.37.58.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 6: Select the authentication method: SSH Key or Password. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/34aa513d-b7b8-44dd-9b66-e962d8bf4d9d/Screenshot+2022-05-03+at+15.38.15.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 7: Select the number of droplets to create and a hostname for the droplet. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/f9cbd69e-3e17-464c-b5aa-0cd7bfb7858f/Screenshot+2022-05-03+at+15.40.28.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 8: Select create droplet to start instantiating the new cloud server https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/4bb9f457-0aaa-4332-a2fe-5719dd6b70f7/Screenshot+2022-05-03+at+15.43.28.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 9: Login to the newly created cloud server using SSH using the information provided in the previous steps and the assigned IP address visible from the account dashboard. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/38fcc992-2a82-46ab-bdc1-9afae42019c7/Screenshot+2022-05-03+at+15.46.58.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Step 10: Successful login into the new cloud server https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/61f3b530-f05b-4444-bdf4-a1cb70377708/Screenshot+2022-05-03+at+16.47.30.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/9e10f066-4f80-4d15-aa16-c5c75e2223d2/Screenshot+2022-05-03+at+16.51.21.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/4d283909-4b22-4948-882f-df3445ada97a/Screenshot+2022-05-03+at+17.10.18.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/69c03368-c50a-48dc-a619-e570938a804d/Screenshot+2022-05-03+at+17.19.50.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/b9129804-b7b6-41e8-90c5-4615199496fe/Screenshot+2022-05-03+at+17.30.21.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/5808e4f0-50aa-49da-b8d0-da5a30183a13/Screenshot+2022-05-03+at+17.30.48.png Stratosphere IPS Research Blog - Installing Glutton Honeypot in the Cloud - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2022/4/28/new-slips-version-090-is-here monthly 0.5 2022-07-14 https://www.stratosphereips.org/blog/2022/4/1/new-slips-version-085-is-here monthly 0.5 2022-05-04 https://www.stratosphereips.org/blog/2022/2/17/new-slips-version-084-is-here monthly 0.5 2022-05-04 https://www.stratosphereips.org/blog/2022/2/17/studying-the-distribution-of-computational-propaganda-with-serpapi monthly 0.5 2022-07-14 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1645130712626-KMBOQB70VR911XOSVF8K/Diff+between+linking+to+and+from+a+URL.jpg Stratosphere IPS Research Blog - Studying the Distribution of Computational Propaganda with SerpAPI - Make it stand out Difference between extracting links from a URL, and to a URL https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1645130897305-HRHJUHGB0CWO0E0952IX/serpapi-logo.png Stratosphere IPS Research Blog - Studying the Distribution of Computational Propaganda with SerpAPI - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1645131034564-GMDELWGKUSEX0OLQKHNO/How+to+use+SerpAPI+to+find+links.jpg Stratosphere IPS Research Blog - Studying the Distribution of Computational Propaganda with SerpAPI - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2021/11/29/studying-cybercrime-is-fun-an-overview-of-five-years-of-research-surrounding-the-geost-botnet monthly 0.5 2023-04-20 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1635890471622-QPDDVI2Q2GVY8M8IU9MI/radhika.jpg Stratosphere IPS Research Blog - Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet What is this unknown web access? It looks like a command and control botnet panel… Well it is! https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1635890532887-WX6MNEPSXHKBHDRL5UPP/wacco.jpg Stratosphere IPS Research Blog - Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1635890619480-IAN2QWVD1X7XY8RSM2QR/bheu.png Stratosphere IPS Research Blog - Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1635890739549-537XZXUJXKCICLRCGLI4/bhusa.png Stratosphere IPS Research Blog - Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1635890803458-CH593QNPIS85ETEB6S9G/botconf.png Stratosphere IPS Research Blog - Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1635890851189-WVCSQYBI6BF0PY84QG2K/poster.png Stratosphere IPS Research Blog - Studying Cybercrime is Fun! An Overview of Five Years of Research Surrounding the Geost Botnet - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/blog/2021/10/12/new-slips-version-08-is-here-more-detections-whitelists-and-train-your-own-machine-learning monthly 0.5 2022-05-04 https://www.stratosphereips.org/blog/2021/9/20/the-prevalence-of-dns-over-https-by-karel-hynek monthly 0.5 2021-09-20 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1632148930476-6FNAUGI8NOD0CDGG8B8Z/org2-2020-doh-dot-doq-1024x507.png Stratosphere IPS Research Blog - The prevalence of DNS over HTTPS By Karel Hynek - Make it stand out Figure 1 — The amount of DoH/DoT/DoQ requests in Czech Technical University traffic during 2020. DoQ is not visible due to the small amount of requets. Note, the gap from 2020/09/07 to 2020/09/17 was due to issues with the sensors. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1632149294665-2SQ3NRTRTE4QRKNCP7DY/org3-doh-user-country-norm.png Stratosphere IPS Research Blog - The prevalence of DNS over HTTPS By Karel Hynek - Make it stand out Figure 2 — Line plot of the normalized amount of observed DoH connections per user per day. Vertical lines are weekends. https://www.stratosphereips.org/blog/2021/9/20/create-and-test-your-own-taxii-server monthly 0.5 2022-10-14 https://www.stratosphereips.org/blog/2021/6/2/dissecting-a-rat-analysis-of-the-saefko-rat monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622659553439-KNYEICJHZ2UXFBC931Q2/image7.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 2. The APK function GetLocationInfo() retrieves the longitude and latitude of the victim’s device location based on the IP address by connecting to the site https://ipinfo.io/geo. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622659703539-LZ39HPD3CG8N27FRS1V2/image21.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 4. APK code with specifications of the database URL ‘https://experimentsas.000webhostapp.com/server.php’ and other necessary parameters. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622659785187-D6SC1Z7SULTJM0MSFWC0/image6.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 6. The interface that the controller uses to execute C&C commands. The interface contains 3 tabs to separate the commands sent over IRC, HTTP and TCP. The tab for the C&C commands over IRC is command-line alike. The phone connects to three IRC servers listed in the beginning of Figure 6: irc.immortal-anime.net, irc.caelestia.net, irc.charrersweb.nl. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622659818290-CCKQ05VI2PHKEXOD9ZFK/image12.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 7. APK code that aims to establish a connection with an IRC server with specific parameters. The function generates a list of 5 IRC servers and sends it to the C&C database. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622659874153-M2GH6SARGZYSDA0ZE2XO/image10.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 8. IRC servers listed in the APK code. The infected device connects to IRC servers from this list of 99 servers. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622659985502-EDGUZ9TIUGCBSMY468E6/image4.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 9. APK function GenerateIRCInfo() that aims to connect to an IRC server with specified parameters IRC_SERVER, IRC_PORT and IRC_NICKNAME. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622660071346-FYS21KE50EOTSSIXTM7H/image11.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 10. APK function update_server_informations that sends the information about the victim’s connected IRC servers to the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624285304168-NUX8U3Z63PBHU76RQDUY/Screenshot+from+2021-06-21+16-21-08.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 11. The list of C&C commands that can be executed over IRC channels. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622660496138-OPD92XC41GA8VISVGH35/image3.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 12. Connection from the phone to the IRC server chat.freenode.net. The connection was established and immediately terminated. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622660696420-VPLR9PP9KON59I8R5ALB/image15.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 13. Reestablished connection from the infected device to the IRC server chat.freenode.net. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622661157137-9W9XN59VRBZTUFR42F4W/image16.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 14. The packet with the USER command sent from the phone to the IRC server. The phone’s username is 6 letters long randomly generated string. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622661324672-Q7XTWBIOIO8Q9QB3MGE5/image2.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 15. Function GetNickname() inside the APK code that randomly generates a 6 letters long string to create the nick of the user in IRC. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1622661453821-A7KXI07M2QS4TV2NXSPD/image9.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 16. Ping and pong between the IRC server and the victim’s phone. The heartbeat continues until the C&C command is received. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624285387273-JHEGO855251DURP4H8DT/Screenshot+from+2021-06-21+16-22-36.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 17. The private message from the C&C with the command ‘location’. The top lines in the figure are the headers of the packet, the lower lines are the content According to the Internet Relay Chat field, the controller’s nick is zelvmd, the IP is 2001:718:2:903:f410:3340:d02b:b918 and it sends the data ‘SASENCODEbG9jYXRpb25UX1QxNjE4MDY2OTgxNjMw’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624287153532-7F8UKVZJ6A578FJP46NY/Screenshot+from+2021-06-21+16-52-00.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 21. The phone’s 6 packets sent as a reply to the C&C command ‘location’. The packets from the phone follow the same structure as the C&C packets. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624277072111-X9WRQSQY6SIZBASRKSCD/image22.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 22. The C&C commands are sent to each connected IRC server and the infected device replies to the C&C command in each server. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624277178405-VY2CPRUZ33JFZ6EQCHHS/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 23. The queue of HTTP requests with C&C commands to be executed on the phone. These commands will be executed according to the refresh rate parameter set in the configuration folder. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624277254967-B0GG0OYR21PAU5J12X03/image18.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 24. A list with C&C commands that are possible to perform over TCP connection between the controller and the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624277463279-CBS5JND9GAMC5B7Z0Q7D/image14.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 26. A 3-way TCP handshake to establish the connection over TCP/8000 between the phone and the controller. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624282062994-90ALQF8ASGS77YFVPR9L/image13.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 29. The data field of the second packet sent by the phone after receiving the C&C command. The data is base64 encoded. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624282116269-FUABEQ6DCVP00KOH91SR/image19.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 30. Function sendMessage() in the APK code that aims to send the information from the phone to the C&C. The function sends two packets: (i) a packet with the data length of the next packet and (ii) a packet with the actual data. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624282206395-413U0R03ARY2JKM3KEEA/image24.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 31. The data field of the packet with the C&C command ‘read SentSMS’ that aims to retrieve all SMS sent from the infected device. The data is base64 decoded. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624282292759-CLNHAMFH8ZY5776IC4N7/image20.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 32. The data field of the second packet sent from the phone as a reply to the C&C command ‘read sentSMS’. The data has a length of 472 and is base64 encoded. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624282554079-24E9CUSH93L839ER7YF4/image8.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 33. All the connections performed to the 000webhost.com database from the phone. In total, there are 21 connections. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624285057856-FGHOPSJJOCR8SZ9UTX1Q/image1.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 34. All connections from the phone to IRC servers over ports 6667/TCP, 6668/TCP, 6669/TCP, 7000/TCP, and 7020/TCP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624285105591-XYODXCYH9AS6YXYDVD9G/image25.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out Figure 32. Five connections over TCP established with the C&C. The connections were ended with the flags RSTR and S1. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624287533558-DGE4XJC7LKY9CP4CGRVK/image5.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out KAMILA BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624287615684-8PNH9HPXVVOI9H9HQ2C4/image1.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Saefko RAT. - Make it stand out SEBASTIAN GARCIA https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620810119726-MCOLE7ZBSQWBK6UFCJDT/image4.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. - Make it stand out Figure 1. Welcome message in the Command-line AndroRAT interface. The message is shown until the infected phone is connected. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620810153711-7AIBERH1YCTC53F16YL2/image10.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. Figure 2. The controller IP and port specified during compilation can be seen in the code inside the APK installed in the victim’s device. The phone uses the controller IP 147.32.83.157 and the port 1337 to establish a TCP connection. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620810176943-C13F4D4AP17HCEZ9CN7A/image7.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. Figure 3. A 3-way TCP handshake between the controller (147.32.83.157) and the phone (147.32.83.245). The connection was initialized by the phone and there is one retransmission packet. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620810224333-EE4FDQCXATKERHJYBNDN/image8.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. Figure 5. Code from the malicious APK that sends the welcome message to the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620810288995-YA5ZY485B9H7NLHXFWEU/image6.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. Figure 8. The command line interface of the C&C with the executed command ‘Device Info’ and the phone’s reply. The characters “[36m” and similar seem to be related to a bug in the assignment of colors to the interface. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620812208989-QLGCYB85TI3ZL8Z4TE2D/image3.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. Figure 14. Successful 4-way handshake TCP termination between the controller and the targeted phone after the C&C command ‘exit’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620812228745-5A504VSQPOUVI1642JDC/image11.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. Figure 15. After the phone received the ‘exit’ C&C command, it still tries to reconnect with the controller. However, the controller already closed the socket after the ‘exit’ C&C command. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620812270867-2UNVPXDKRGML64HQD8JU/image2.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. Figure 16. TOP connections from Wireshark-Statistics-Conversations sorted by the flow duration. The connection between the victim and C&C is the longest. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620812287519-ZELZGKR5KNCDBPQFDHAV/image9.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. - Make it stand out FIgure 17. Wireshark displays reconnections to the C&C as the flows of really short duration. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620373303023-DSPFQZ1UVGNN3AZJMYQI/image2.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. KAMILA BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620391948125-AYK6DBG5DUSKSQ0SLC7E/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the Command-line AndroRAT. SEBASTIAN GARCIA https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620371497334-MDIKDAONDKJQ0ABPPKXB/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 1. The victim phone starts by connecting to the IP 216.58.201.106 with the server name firebaseinstallations.googleapis.com that indicates a Firebase installation service (FIS). https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620371557122-9ZHH4B5AQU6XJL1L6C27/image8.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 2. The victim connects to the Firebase platform (35.201.97.89) with the HawkShaw RAT service to the server name hawkshaw-cae48.firebaseio.com. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620372901640-F1KYY4RBEJISXL380296/image7.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 3. Code from the RAT in the infected device that takes care of connecting to the services api.ipify.org and api6.ipify.org to retrieve the IPv4 and IPv6 IP addresses. This function gets executed after the C&C command sends the command ‘Device Information’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620372926047-XNC86PA9G19BLUJXMVKY/image6.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 4. The C&C interface after the controller sends the command ‘Device Information’ to the victim, that aims to retrieve the details of the victim’s device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620372965959-PM99YGFAS5ONWZO2FTH9/image4.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 5. The victim connects to the IP 216.58.201.74 with the server name firebasestorage.googleapis.com that indicates Firebase Storage. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620651280501-GFPSHY0MS0RNMPMBBMPK/Screenshot+from+2020-07-24+09-53-20.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 6. HawkShaw controller interferes Instagram conversation of the victim’s device. The C&C can send and receive messages in the chat. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620651439389-VCM1NLX1SOQO5QSBCL4Q/Screenshot+from+2020-07-24+11-16-52.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 7. Keylogger C&C command. The C&C captures all the keys clicked on a compromised device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620373207608-7CN44Q9R7XPWT4YI1SLX/image1.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. Figure 8. The duration of the connections between the victims and the HawkShaw online service is short, no more than approx. 13 minutes (785 seconds). https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620373303023-DSPFQZ1UVGNN3AZJMYQI/image2.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. KAMILA BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620391948125-AYK6DBG5DUSKSQ0SLC7E/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the HawkShaw. SEBASTIAN GARCIA https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620303022102-EZY491BJBLE25NR08ZCN/image12.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 1. The establishment of the first connection over TCP between the controller and the infected phone with AhMyth RAT. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620302008963-H1ZLRJPF19N6LFLVD2ZV/image9.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 3. The function IO.sockets.on that receives the HTTP request from the phone. The C&C parses phone parameters to the function addVictim. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620302035368-0FFDD47UIHUMTTEU1J99/image4.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620302124278-OGMKJEFC292U2M7KS6OH/image13.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 4. Function addVictim of the C&C that receives the parameters of the phone and stores them in the dictionary victimList. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620302197009-HYN63MU7OSI2TDVN5F5S/image10.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 5. The C&C interface main window of AhMyth. It shows the connected infected victim with the parameters sent in the first HTTP request. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620302981424-U3PSW07454Z2AB6JY1SL/image1.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 7. Establishment of the second connection from the phone to the C&C after receiving the ‘open’ packet with the handshake data for the WebSocket protocol. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620330779994-7QIE1GYYBAD9OA8RUGYM/image15.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 11. The probe request sent by the infected phone with unmasked data ‘2probe’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620330743380-KCYIYMQIZEWSRJXZHFOB/image8.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 12. The probe request sent by the C&C with data ‘3probe’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620330839716-NJSACK56E5BX8OE0OGLG/image17.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 13. The ‘upgrade’ packet sent by the infected phone with unmasked data ‘5’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620330808192-HFBINI4XF8VRJ40CDC5R/image16.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 14. The ‘ping’ packet sent by the infected phone with unmasked data ‘2’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620331231979-6E1KW2MBIOJNVU8B839G/image3.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 15. The ‘pong’ packet sent by the C&C with data ‘3’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620331255857-2MZSNR1OY0LWX138O8LZ/image2.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 16. The exchange of ‘ping’ and ‘pong’ packets between the phone and the C&C with the setup interval of 25 seconds. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620332512387-VR1GBY8A7KDESFO8SSRV/image6.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 20. Wireshark representation of a phone response on the C&C command ‘Camera List’ that aims to retrieve the list of cameras in the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620332729882-Y56XYJE11FLUI9P4ARYD/image11.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 22. All the connections between the infected phone and the C&C. The longest connection has a duration of 1808.6655 seconds, which is approximately 30 minutes. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620332765347-FCSL7GEN3TURC95V1YSS/image14.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. Figure 23. Top connections done by the phone sorted by the duration. The connection to Facebook IP address 157.240.30.34 is the longest. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620333920346-DJRVFLVSVDZCM5T3T4PZ/image7.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. KAMILA BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620334068055-6LDW5809YOVTUJASNE0L/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AhMyth. SEBASTIAN GARCIA https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617122754691-BKQQW897KUHV7U0403M5/image10.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 1. A 3-way handshake to establish the first connection between the phone and the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617122132957-HNPWJYCIKZA1T5NXQFEN/image4.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 3. The C&C interface panel displays the parameters of the phone after the infection. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617122233330-SJ4NBA68NW9563V97F7I/image2.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 4. Panel in the C&C interface used to send commands to the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617122601142-6LKT86985KVRC15NOJT3/image15.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 7. The mapping of each C&C commands (in capital letters) into a single character defined by a number. Found by reverse engineering the APK used to infect the victim. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617122909133-X1M396LCSGUIFQP2CIWI/image14.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 8. Java code from the APK for the function dataHeaderGenerator. This function generates the header for the C&C and phone packets. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123002611-HGP9PJEX1YXVP1U2QVGY/image16.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 9. Java code from the malicious APK for the function parse. This function unwraps the C&C command. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123155649-AM2B1P0SSGRNO2UIH3VD/image20.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 10. Analysis of the packet structure of the C&C command ‘Advanced Information’ sent to the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123239327-E6DOJ42XNXDRE5F99TL3/image18.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123289641-H5PNRTVE92NRDQRQV40Z/image8.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 11. Mapping value of the C&C command ‘GET_ADV_INFORMATIONS’. The value of this command is 121 in decimal which is 00 79 in hexadecimal. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123741469-3F8088B4Y7WQXY8T92AR/image6.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 12. Analysis of the packet structure of the C&C command ‘Preferences’ sent to the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123760980-CBD6QKHHGTE63GTZRWK2/image7.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 13. Mapping of the C&C command GET_PREFERENCE from Figure 7. GET_PREFERNCES is 21 in decimal, and 00 15 in hexadecimal. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123842475-TFXGBWI9S6C0LSJV1FRD/image21.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 14. Summary of the packet structure of the C&C commands. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617123970072-KJ3NY2LH3BPH00RBWOL9/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 15. Java code from the APK for the command ‘send’. This function sends the packet from the phone according to the specific structure. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124064855-D5HNJUS2QXV9PIIF8QV0/image3.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 16. Packet sent from the phone as an answer to the C&C command ‘get Preferences’. The packet data and its structure is shown. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124209458-VUSJXBELBGDLX7XTG1FN/image19.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 18. The structure of the packet sent from the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124246979-OS12J9FJ2GFV33VN498D/image17.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 19. Packet data and structure for the C&C command ‘Toast’ with the argument ‘hello’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124379655-XQ8NE7EOGQNTTR5HYBVK/image22.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 20. The mapping of the C&C command ‘Toast’. The value of this command is 109 which is 00 6d in hexadecimal. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124434413-YMSWO6EFADH04EI3ZZTN/image1.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 21. The packet data and its structure of the C&C command ‘Directory List’. The command aims to get the list of files in the specified directory (in our case directory ‘/’). https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124457626-MBV66L7LH27LVWNVPSN0/image12.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 22. The phone sends the confirmation about the received command ‘Directory List’. The packet data and its structure is shown. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124571489-352YEQ1K3EZ7S71THIZ4/image13.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 24. All the connections in the traffic between the phone and the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617124599324-D9PI4ESBOMMXA0A2YZ7F/image23.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. Figure 25. Top connections from the phone from Wireshark -> Statistics -> Conversations -> TCP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617125170963-K6TRILX8Q260YXCKSFPJ/image9.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. KAMILA BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1617125357910-J0CPXIV84B56N3DD96N4/image11.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the AndroRAT. SEBASTIAN GARCIA https://www.stratosphereips.org/blog/2021/2/26/dissecting-a-rat-analysis-of-the-spymax monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349033055-UMU6YCF429TCBY02DVYM/image18.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 1. A 3-way handshake started by the phone to establish TCP connection with the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349089822-VG40KCDI9AN236YVW6VK/image15.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 2. Data sent by the phone after establishing the TCP connection with the C&C. It is shown a hex representation to the left and ASCII representation to the right. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349197429-NK5QWLIOGGUGCG2YZ6XP/image6.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 3. The structure of the first packet sent by the phone. Here it can be seen the data length, gzip magic numbers and delimiters. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349286283-R9TLFI3C3CIAOTA200A8/image14.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 4. Decompressed data from the first packet sent by the phone. Done using the CyberChef tool. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349395266-QF64TVLZO34IBKI5L21M/image1.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 6. The C&C sent the command ‘calls’ and an APK to fulfil that request. The AndroidManifest.xml content can be seen in the traffic. The analysis was done in the CyberChef tool. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349507452-YH07PP60Q54EUEUD2M6E/image19.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 7. The ‘Delete’ function from the source code of the small APK sent to the victim phone in order to execute the command ‘calls’. It is designed to manipulate call logs in the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349629753-ZNKS4F0CQ4IM99JGMUG9/image7.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 8. The exchange of packets between the C&C and the phone after C&C sends all necessary plugins and APKs. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614349766232-WK3A9W3ZK8QQNAF7SWC2/image17.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 9. The command ‘Info’ as sent from the C&C to the phone. After decompression a structure can be seen. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614353989961-TO9YRGYGCP29ESCTIGCY/Screenshot+from+2021-02-26+11-45-03.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 10. UUID decoder tool decodes the string ‘a2fb4aa7-befb-4072-a025-6a2379e5c705‘ sent from the phone. This string is UUID version 4, i.e. randomly generated. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350241522-KEOS41IPC5VAOILWUOHQ/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 12 The rendered background image from the phone after the C&C command ‘Info’. The image was rendered using the CyberChef tool. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350301226-TUDH7MV9TUD7MYPRQ82X/image3.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 13. Phone’s parameters and background image sent to the C&C to display in the C&C interface. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350347581-K2EYS1LX2ZHU0A9E86V5/image4.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 14. Decompression of the C&C command ‘Files Manager’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350447012-L2L2MSUUVWYYFYP9XVTU/image9.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 15. Decompressed data of the packet sent from the phone as a reply to the C&C command ‘Files Manager’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350658331-XX6RMI5D2N5B82WPEFP8/image8.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 16. Decompressed C&C command ‘Files Manager - Upload’ in the main connection between the phone and the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350714142-TISDT9LXN8TY6PP8F5MD/image10.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 18. The data exchange between the phone and the C&C. The data from the phone is red, the data from the C&C is blue. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350848216-181DE3Z36YSZIDGA38CP/image12.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 19. The packets sent from the phone and the C&C when doing the heartbeat. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350888496-P1INWV8P4VLE6IA3524M/image13.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 20. The ICMP messages sent from the phone to the C&C every 45 seconds. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614350937998-1M5TQO68PV211JUU8099/image11.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. Figure 21. Top connections from the phone from Wireshark -> Statistics -> Conversations -> TCP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614352399991-A5K7F5UZH1BVBAW6MSE4/image2.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. KAMILA BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614352623428-I4MGZ4APVNGW3SFO68MU/image16.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of the SpyMAX. SEBASTIAN GARCIA https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611305950032-V7TQFAEM41Q3BXFEWEG8/image3.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 1. A 3-way handshake started by the phone to establish TCP connection with the C&C controller. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611306002937-EM2FA56Y6LBTS3ROZBLL/image9.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 2. Data sent by the C&C after establishing the first TCP connection with the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611306518534-2S45WYBCVQCM7O2KNOZ5/image18.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 3. Data sent by the phone with initialization parameters. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611306762562-2DMG7D9ECFTXT15UIBT8/Analysis+of+RAT02+pcap.+Droidjack.+-+New+frame.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 4. Bytes sent from the phone to the C&C controller in one packet, including how we found the format. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611306879337-2YSY2NCUV3TIQQU7BT0H/image15.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 6. The heartbeat between the C&C and the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611306922093-UBBU7J3FRJ9FJTJ9H35U/image12.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 7. The command ‘File Voyager’ in DroidJack v4.4 C&C software. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611307049326-2H47OHGY36K4LKCB7CJC/image11.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 8. Command ‘File Voyager’ sent from the C&C after the heartbeat. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611306990605-35XFTJN1A2BO19IFUFWK/image10.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 9. The phone’s reply on the command ‘File Voyager’ sent by the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611307124786-1M01JG3DEIAOOUQDILQ4/image8.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 10. The phone replies to the command sent by the C&C in port 1337/TCP (shown in Figure 8) with data over another connection on port 1334/TCP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611307172091-MJ8RSCXDFOGZZB5TZ5VE/image1.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 11. Packet sent from the phone to the controller over 1334/TCP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611307221312-EET8XY2BDGPYRPEUHHHW/image4.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 12. UDP packets from the phone to the C&C server sent every 20 seconds over port 1337/UDP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611308340230-2G3ISPQDH3KKOWTDCVSQ/image16.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 13. Example data inside the UDP packets on port 1337/UDP sent from the phone to the controller. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611308419203-71OQ4YPX690T9DYOB129/image13.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 14. Top connections between the phone and the controller from Wireshark -> Statistics -> Conversations -> TCP. It can be noted the long duration of the main connections. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611308467564-L34N8ANZOO8WUIO9OT7O/image2.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 15. Behavioral model of the connection between the phone and C&C over 1334/TCP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611308500989-AMX3WV4H830X7ITCYS6F/image6.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 16. Alert from slips that it detects a C&C channel over port 1334/TCP using a machine learning LSTM neural network. The LSTM uses the letters shown in Figure 15. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611308530585-BKXFXAQXGFIPXPRLSSVF/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. Figure 17. Behavioral model created by Slips for the connection between phone and C&C over 1337/UDP. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611309537250-XVDQEX8D52IVRM7SONJ4/image14.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. - Kamila Babayeva Kamila Babayeva is a 20 years old and third-year bachelor student in the Computer Science and Electrical Engineering program at the Czech Technical University in Prague. She is a researcher in the Civilsphere project, a project dedicated to protecting civil organizations and individuals from targeted attacks. Her research focuses on helping people and protecting their digital rights by developing free software based on machine learning. Initially, she worked as a junior Malware Reverser. Currently, Kamila leads the development of the Stratosphere Linux Intrusion Prevent System (Slips), which is used to protect the civil society in the Civilsphere lab. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1611309281926-QJ2KRSAJFSUBTE6MVH7F/image7.png Stratosphere IPS Research Blog - Dissecting a RAT. Analysis of DroidJack v4.4 RAT network traffic. - Sebastian Garcia Sebastian Garcia is a malware researcher and security teacher with experience in applied machine learning on network traffic. He founded the Stratosphere Lab, aiming to do impactful security research to help others using machine learning. He believes that free software and machine learning tools can help better protect users from abuse of our digital rights. He researches on machine learning for security, honeypots, malware traffic detection, social networks security detection, distributed scanning (dnmap), keystroke dynamics, fake news, Bluetooth analysis, privacy protection, intruder detection, and microphone detection with SDR (Salamandra). He co-founded the MatesLab hackspace in Argentina and co-founded the Independent Fund for Women in Tech. @eldracote. https://www.researchgate.net/profile/Sebastian_Garcia6 https://www.stratosphereips.org/blog/2021/1/25/active-directory-honeypot-testing monthly 0.5 2021-01-26 https://www.stratosphereips.org/blog/2021/1/4/stratosphere-datasets-update-quickly-browse-and-search monthly 0.5 2021-01-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1609755260523-GEVJH7EYVWT3MYA14PE4/stratosphere-datasets-1.jpg Stratosphere IPS Research Blog - Stratosphere Datasets Update: Quickly Browse and Search! https://www.stratosphereips.org/blog/2020/12/14/ngwqj0h060yv40w1afp51fg7wo9ijy-pzlhk monthly 0.5 2021-10-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608298170360-J4YRGDXHBK7282F1G09M/image11.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 1. Initial 3-way handshake from the RAT in the phone to the Command and Control server to establish a TCP connection with the controller. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608298257142-OND0X1E2CJZ49HEF5TV6/image10.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 2. Data sent by the phone in the Command and Control channel after establishing the TCP connection with the controller. At the beginning it may seem that there is no structure, but the first number 2969 may be a good indication of meaning https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608298425633-R6Y2YG67FKEP8IBUR5BY/image3.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 3. Another example of the encoding mechanism used in a packet sent from the controller to the phone together with its format. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608298473308-PELPX18FUVLDJA5DIXQW/image6.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 4. The bytes 1F and 8B represent the magic number header of the Gzip file signature for the DEFLATE protocol. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608299898986-MG54B0ONQKJOHKHV50LG/image7.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 6. Decompression of the data sent from the infected phone to the C&C controller (without the number for data length and delimiter). The packet was decompressed using CyberChef recipe ‘From Hex’ and ‘Gunzip’. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608300073786-U4I96YAHUW1O32TW3NEC/image9.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 7. The screenshot from the controller when the phone connects to it. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608300138777-KWFVRFKHRTMBB71U7WQ2/image8.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 8. Using CyberChef to render images from Base64. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608300185503-JPGQMDRBF5AKM88447JT/image5.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 9. Rendered background image sent from the phone to the controller. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608300232131-RVOPHXGS7H3QUIVEH7UR/image2.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 10. Heartbeat between the controller and the phone. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608301821539-KAJJ32J8B1QU67IQY3VW/image14.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 12. Length of connections between the phone and the controller from Wireshark - Statistics - Conversations. It is clear that some connections are long (+40mins) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608302043609-L5CEA3T0JW5HAZMYFFJ4/image-asset.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. Figure 13. The content of the output folder ‘out’ after executing the extractor on RAT01.pcap of Android Tester v6.4.6 from the Android Mischief Dataset. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608307785019-3KS9NHUPVLINJVDSRUL9/image13.jpg Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. - Kamila Babayeva Kamila Babayeva is a bachelor student in the Computer Science and Electrical Engineering program at the Czech Technical University in Prague. She is a researcher in the Civilsphere project, a project dedicated to protecting civil organizations and individuals from targeted attacks. Her research focuses on helping people and protecting their digital rights by developing free software based on machine learning. Currently, Kamila leads the development of the Stratosphere Linux Intrusion Prevent System (Slips), which is used to protect the civil society in the Civilsphere lab. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608308207195-2GCVCFRP6S5UZR8I03E8/image9.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. - Lisandro Ubiedo Lisandro Ubiedo is a malware researcher, programmer and DevOps consultant. He is a collaborator for the Aposemat Project and focuses in reverse engineering and both network and binary malware analysis. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1608302975471-A3AEZRWVOJ4WW01O10RU/image12.png Stratosphere IPS Research Blog - Dissecting a RAT. Android Tester Trojan Analysis and Decoding. - Sebastian Garcia Sebastian Garcia is a malware researcher and security teacher with experience in applied machine learning on network traffic. He founded the Stratosphere Lab, aiming to do impactful security research to help others using machine learning. He believes that free software and machine learning tools can help better protect users from abuse of our digital rights. He researches on machine learning for security, honeypots, malware traffic detection, social networks security detection, distributed scanning (dnmap), keystroke dynamics, fake news, Bluetooth analysis, privacy protection, intruder detection, and microphone detection with SDR (Salamandra). He co-founded the MatesLab hackspace in Argentina and co-founded the Independent Fund for Women in Tech. @eldracote. https://www.researchgate.net/profile/Sebastian_Garcia6 https://www.stratosphereips.org/blog/2020/12/03/deep-dive-into-an-obfuscation-as-a-service-for-android-malware monthly 0.5 2023-04-20 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606903087322-PQEGK0QK1R8IZ57SELGA/image6.png Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware Figure 1 - Registration Webpage for the Obfuscation Service https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606913194759-0PI248S21H2W6QA1R0EH/image3.png Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware Figure 2 - Advertisement for the Obfuscation-as-a-Service on HackForums https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606917972875-M5DIKO92YIGX2PBAJEGX/image-asset.png Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware Table 2 - Automated Analysis Comparing Obfuscated and Non-Obfuscated APK files https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606918243952-93LG33RGHLTKYG6597DC/figure3.png Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware Figure 3 - Amount of APK applications sent to VirusTotal and probably created with the same Obfuscation Service https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606924761552-V56VTT7PALES4UZZ030D/new-figure4.png Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware Figure 4 - Extract of the strings.xml file from one of the Obfuscated Applications https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606921382937-QJOCYOGZW0YN8IO5KEEI/figure6.png Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware Figure 6 - Detection Variation by Groups https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606921468649-U5AKNA6F0BVU1173AKFP/image-asset.png Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware Figure 7 - Prices for using the Obfuscation-as-a-Service https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606935410610-BIKEH9NZ8M709IIPOGUG/masarah.jpg Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606935019298-40WARRYKZKAXK9X6Y3V1/vit-small2.jpg Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606935257725-E20X4YNFPTR9859E7VC8/mariajose.jpg Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606934860479-EV2955LWUD3APBI0PSF5/sebas.jpg Stratosphere IPS Research Blog - Deep Dive into an Obfuscation-as-a-Service for Android Malware https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset monthly 0.5 2025-04-25 https://www.stratosphereips.org/blog/2020/11/14/installing-and-running-slips-in-docker monthly 0.5 2022-05-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1605392651996-1QSU6W8GP0GC1RFIPARN/docker-images.png Stratosphere IPS Research Blog - Installing and Running Slips in Docker https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1605393804616-YKLAEIO8NAGNO5KK47IH/slips-test-run-hide-and-seek.png Stratosphere IPS Research Blog - Installing and Running Slips in Docker Slips test run: ./slips.py -c slips.conf -r datasets/hide-and-seek-short.pcap https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1605393932318-CGHD8QFXYTXIU33H1YI6/slips-in-action-1 Stratosphere IPS Research Blog - Installing and Running Slips in Docker Slips in action: ./slips.py -c slips.conf -r /opt/datasets/2016-12-12-EITest-Rig-V-sends-CryptoMix-ransomware.pcap https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1605394126401-7AZIQY6AKDBNTZ8VH77E/slips-graphical-gui-kalipso Stratosphere IPS Research Blog - Installing and Running Slips in Docker https://www.stratosphereips.org/blog/2020/11/04/white-paper-current-state-of-ipv6-security-in-iot monthly 0.5 2020-11-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1604499999197-2E5WMJNTGR6H8YP19ILI/White+Paper+Current+State+of+IPv6+Security+in+IoT.png Stratosphere IPS Research Blog - White Paper: Current State of IPv6 Security in IoT - Click to Download White Paper: Current State of IPv6 Security in IoT https://www.stratosphereips.org/blog/2020/10/22/a-visual-display-of-etcpasswd-andetcshadow monthly 0.5 2020-10-22 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1603347414982-SZ68WZFHL6N9LG7S5HMF/BSY+Security+Class+Diagrams+-+_etc_passwd+%28L%29.jpg Stratosphere IPS Research Blog - A visual display of /etc/passwd and/etc/shadow https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1603347459833-GSR76P31T020NK97YV4B/BSY+Security+Class+Diagrams+-+_etc_shadow+%28L%29.jpg Stratosphere IPS Research Blog - A visual display of /etc/passwd and/etc/shadow https://www.stratosphereips.org/blog/2020/10/16/data-exfiltration-via-ipv6 monthly 0.5 2020-10-16 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597698270760-W1NDA9L0MJE0UPCHHB44/image3.png Stratosphere IPS Research Blog - Data Exfiltration via IPv6 Figure 1. OSI Model and description of its layers. Layers 3 and 4 are highlighted in light orange and yellow respectively (Source: Wikipedia) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597698330786-7MBF95GUG04SNGOT9071/image2.png Stratosphere IPS Research Blog - Data Exfiltration via IPv6 Figure 2. IPv6 packet header structure with Flow Label field (marked red). (Source: Wikipedia) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597699168075-XJ3S09W0QH9ETLUIZQKV/image4_80.jpg Stratosphere IPS Research Blog - Data Exfiltration via IPv6 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597698506911-4ZI5TB9YWILULZEQVNSM/image1.jpg Stratosphere IPS Research Blog - Data Exfiltration via IPv6 Figure 3. Packets with encrypted data in the sequence field are received and decrypted. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602874728339-0277NIF4FJZTI4JDPDAW/avast-logo.jpg Stratosphere IPS Research Blog - Data Exfiltration via IPv6 https://www.stratosphereips.org/blog/2020/10/10/installing-t-pot-honeypot-framework-in-the-cloud monthly 0.5 2020-10-18 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602340936936-NWWQSLJI5XZ4D4DNJD8C/Screenshot+2020-10-10+at+16.33.02.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602341473118-HS9Y30GFLQTQZGZ9N352/create-dropplet-0.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 1: Select the option to create a new droplet or cloud server https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602340198007-K2OJDRHCART5I77QI5CQ/create-dropplet-1.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 2: Select Debian 10 x64 (or the latest) as your base image. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602340224115-G97AR4GHNQA5OAGVN9OJ/create-dropplet-2.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 3: Select the plan and specs of the new server. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602340280485-XOVFFYE81E8I7XORHA5G/create-dropplet-3.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 4: Select the country where the server will be located. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602340430689-CQTEGI9B0R2SSKA6LRFS/create-dropplet-4.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 4: Select the authentication method: SSH Key or Password. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602340471588-OKGYGXCAHW75N0X6UN7G/create-dropplet-5.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 5: Select how many cloud servers to create and the hostname(s). https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602340493815-RM3KJUTT22ML33YLCKTT/create-dropplet-6.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 6: All ready, create droplet. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602342298902-4N0LVJ34V2S8LRSL4HSZ/create-dropplet-7.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud Step 7: Your droplet is ready to install T-Pot. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602344346824-4NPN8G1PB4OXXWG2CP3Z/image-asset.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602344555510-9GW6PK6Z9T1GP3VHGB6H/Screenshot+2020-10-10+at+17.41.46.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602345133077-QRXFUJ27QTWT6UN1BJGX/Screenshot+2020-10-10+at+17.51.42.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602345153795-L2QFMH7EEAB1ZLHG3RX9/image-asset.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1602345954768-S22MPG6HMLPVYFFCLH00/Screenshot_2020-10-10+Honeytrap+-+Elastic.png Stratosphere IPS Research Blog - Installing T-Pot Honeypot Framework in the Cloud https://www.stratosphereips.org/blog/2020/10/5/what-is-post-modern-computational-propaganda monthly 0.5 2020-10-09 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601909148285-I0L83YUA7743QHR6STC1/computational-propaganda-blog.jpg Stratosphere IPS Research Blog - What is Post-Modern Computational Propaganda? https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601913751880-0U6FPCO9PVE84RD4EERN/avast-logo.jpg Stratosphere IPS Research Blog - What is Post-Modern Computational Propaganda? https://www.stratosphereips.org/blog/2020/10/2/stratosphere-yara-rules-repository monthly 0.5 2020-10-02 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601561150195-M2FNI72J51OY1IM3V491/Screen+Shot+2020-10-01+at+08.05.16.png Stratosphere IPS Research Blog - Stratosphere YARA Rules Repository https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601624268462-0B8QGG4VLYAFQ99HEM62/Screenshot+2020-10-02+at+09.37.28.png Stratosphere IPS Research Blog - Stratosphere YARA Rules Repository https://www.stratosphereips.org/blog/2020/10/2/cve-search-tool monthly 0.5 2021-05-05 https://www.stratosphereips.org/blog/2020/9/29/active-scanning-for-sap-applications monthly 0.5 2020-10-02 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601378601728-FEBZ7YHYHAX0RIQ0IKBB/image1.png Stratosphere IPS Research Blog - Active Scanning for SAP Applications Image 1 - Distribution of hourly number of connections in June https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601378675962-Q8MNBE0CAKVSLIVYA0VB/image2.png Stratosphere IPS Research Blog - Active Scanning for SAP Applications Image 2 - Distribution of hourly number of connections in July https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601381509095-48UVJ9VYWC1C7T89CD5K/image3_2.png Stratosphere IPS Research Blog - Active Scanning for SAP Applications Image 3 - Distribution of hourly number of connections in August https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601381242774-X4G5EA16G75BZIHWL4VR/Evolution+of+TCP+scannings+on+port+50000.png Stratosphere IPS Research Blog - Active Scanning for SAP Applications Image 4 - Evolution of number of TCP connections on TCP port 50000 from June to August. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601381018337-D912GRASUBB7KN5RIAR7/_ECH6564_reduced.jpg Stratosphere IPS Research Blog - Active Scanning for SAP Applications - Juan Pablo Perez Etchegoyen As CTO, JP leads the innovation team that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. JP helps manage the development of new products as well as support the ERP cybersecurity research efforts that have garnered critical acclaim for the Onapsis Research Labs. JP is regularly invited to speak and host trainings at global industry conferences, including Black Hat, HackInTheBox, AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his professional career, JP has led many Information Security consultancy projects for some of the world's biggest companies around the globe in the fields of penetration and web application testing, vulnerability research, cybersecurity infosec auditing/standards, vulnerability research and more. https://www.stratosphereips.org/blog/2020/7/31/the-new-and-improved-attacker-ip-prioritizer monthly 0.5 2020-10-02 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1596199761014-VYIBFZWUZWXZI3LL9RZI/aposemat1.jpg Stratosphere IPS Research Blog - The New and Improved Attacker IP Prioritizer https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1596200277251-V3Z19TH57TG9CO5IE8CY/logo-avast.png Stratosphere IPS Research Blog - The New and Improved Attacker IP Prioritizer https://www.stratosphereips.org/blog/2020/8/12/machine-learning-leaks-and-where-to-find-them monthly 0.5 2020-08-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597225720335-YIJB3HTM30H2ZRI1DG41/password-2271736_1280.jpg Stratosphere IPS Research Blog - Machine Learning Leaks and Where to Find Them https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597224549001-STSBX99BFKLRIWP8RR1E/actor_assets.png Stratosphere IPS Research Blog - Machine Learning Leaks and Where to Find Them Figure 1. Threat model for privacy leak attacks in machine learning models. Actors, assets and actions. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597224716822-IPY0K0YLP9O3B784PBE6/heatmap3.png Stratosphere IPS Research Blog - Machine Learning Leaks and Where to Find Them Figure 2. Amount of papers focusing on each type of attacks and learning tasks. The most attacked task is classification. https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly monthly 0.5 2020-06-08 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560195244-Q75OZ1QD7ULXEN3VWM15/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560322375-IAVXHTR8HPNBFKI1KA9D/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 1. Hardcoded C&C list populated to later be used by the bot. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560455106-KJ5NC8OJBBCYS2TSZSPN/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 2. Hardcoded domain name and IP address in init_syn_bruter function. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560488665-E77NXKDWW4ECJN7NGAF0/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 3. The malware spreads on multiple architectures to have a wider range of infection. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560686821-9R8M3JX6WJUTJUU20M6C/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 4. IP and port reported by the bot that infected and ran the malware sample. This will later be used as a replacement for it’s C&Cs if needed. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560644214-L64UOA6I43E52N6OFPNA/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 5. User-Agent used by the malware is: hoho_fastflux/v5. The string “hoho” is commonly used throughout this malware. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560807139-73HJ7I3ZLIW1KZOMWXMH/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 6. Function (and process) killer is initialized along with the structure in charge of keeping track of the processes being analyzed. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591560846017-WDPMFMSFQZCV8ZJHERH3/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 7. Bot recursively checks all the processes’ weight and calls kill() to terminate whoever it finds threatening for its functioning. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591561041284-P7J2OZF13FZCM2CR4NOF/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 8. Methods used by the bot to impede the system from being restored. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591561085455-NF4PZIF1F5USKJ4JB5LQ/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 9. The bot removes all permissions on specific executables so no restoration of the device is possible. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1591561263097-Y00E7GPB8PFXBET1WUUD/image.png Stratosphere IPS Research Blog - Dark Nexus: the old, the new and the ugly Figure 10. Main part of the lockdown process. This ensures no intruder or legitimate process is started as it gets killed if is not present in the lockdown PID list. https://www.stratosphereips.org/blog/2020/5/5/cybersec-and-ai-connected-workshops monthly 0.5 2020-05-06 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588755592171-XBYO8T6IGJFALW32MZLL/AIC-logo-transparent.png Stratosphere IPS Research Blog - CYBERSEC & AI Connected Workshops: Call for Presentations https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588683460416-DTNGP64FG89BKXP0SMHF/image-asset.jpeg Stratosphere IPS Research Blog - CYBERSEC & AI Connected Workshops: Call for Presentations https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588683356746-HB0P2TWQ8SY79WEONIQJ/avast_logo_small.png Stratosphere IPS Research Blog - CYBERSEC & AI Connected Workshops: Call for Presentations https://www.stratosphereips.org/blog/2020/4/29/rhombus-a-new-iot-malware monthly 0.5 2020-05-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588121407241-VBGFWKVX1VO0AQG0QKWC/image.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 1. Twitter post of MalwareMustDie findings, sharing samples and command-and control information. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588121725363-WWO4NB1PAQUBPKJCHHXW/image.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 2. String obfuscation function flow graph. The bold green arrows indicate that a character by character obfuscation is being performed. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588121885464-2SQM61GOTH3DPDU3VIFO/image.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 3. Upper array is the mutated characters list. Lower array is the original one. Both used to transform the original string to obfuscate it. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588123115210-0EK43XWVHN1AJFYH72F1/image_small.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 4. Malware creates a temporary file with the stage #2. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588122104893-DYQ8FYDHL7TU0TPIAKBM/image.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 5. Execution flow of stage #2 execution and temporary file deletion. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588122336938-S93QTGH0SRG53ILYGM0R/image.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 6. Malware attempts verify open Telnet ports on randomly generated IP addresses across the Internet. Gray rows are SYN packets and black are TCP out-of-order or retransmission SYN packets. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588123420296-UHOBSN1KHZQYE8PR4NH4/image_small.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 7. Reporting or C&C server hardcoded into the stage #2 binary. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588123464912-CH23D8BPBFPDETGWJX1M/image_small.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware Figure 8. Updating procedure. A different port but same C&C IP address is used during this process. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589215795973-1D68MWK4U267BY2TFQM4/logo-avast.png Stratosphere IPS Research Blog - RHOMBUS: a new IoT Malware https://www.stratosphereips.org/blog/2020/4/26/timeline-of-iot-malware-version-1 monthly 0.5 2020-04-26 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587919801121-157XE382HCBK0DWN4WP4/Stratosphere-TimelineIoTMalware-V1.jpg Stratosphere IPS Research Blog - Timeline of IoT Malware - Version 1 First timeline of IoT Malware by first time seen. Data obtained by correlation of information found using OSINT techniques . https://www.stratosphereips.org/blog/2020/3/30/upcoming-april-13th-update-for-aposemat-aip-blacklists monthly 0.5 2020-04-16 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1585585041205-2LH095R307GF8BWAINZQ/aposemat1.jpg Stratosphere IPS Research Blog - Upcoming April 13th Update for Aposemat AIP Blacklists https://www.stratosphereips.org/blog/2020/3/19/iot-23-in-depth-ctu-iot-malware-capture-1-1 monthly 0.5 2020-05-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584581750641-2H9QVL9AEGID136F6QQ6/image2.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 1. Obfuscated data found in the binary and later decrypted when it’s going to be used. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584581869648-AZFB8JDELGPJTOA407U2/image2.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 2. Function that obfuscates and deobfuscates the strings during execution used by the Hide-and-seek malware. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584581942635-550CNI7ZRG1FJRI7OK3B/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 3. Data from Figure 1 deobfuscated by imitating the obfuscation function. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582188785-SR0Y6A1PV0SBPZOW0L6S/image2.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 4. Malware checks for other malware variants running in the infected device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582326740-CL3NKQEZFT7A1C9OILD1/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 5. Measures taken after execution by the malware in order to run uninterrupted. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582419223-ITABAA0H8YPP7E4HSDN3/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582453860-GPL978PNYXHPZASHHNKC/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582494945-O9201PG90D32GSIZ2XF3/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 6. Malware executes the command iptables to add an acceptance rule for its listening UDP port. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582591283-RL5VN919WEBWINKAH2H7/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 7. Core procedures taken from the main function after the UDP socket is created. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582710909-FFDIFX0WQE6MTSUOKTCT/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582794480-IOJF81LX0EFLH38A4F14/image2.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 8. Similarities between the killer function in the original Mirai source code and Hide N’ Seek’s decompiled function. Also, functions like util_strcpy and util_strlen were also copied. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584582931271-35R1SVKYET344KVNIXI0/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 9. If any data is received from the UDP socket initialized for the custom P2P communication it will be processed. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584583065180-AX94ZUE53FEI7QWRRKDF/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 10. First packet of the capture is a peer search from the malware to reach another possibly infected device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584583170432-41PZ2IJWVA8IUF5W3S7F/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 11. Ports in their hexadecimal and decimal form are hardcoded in the binary, part of the scanning function. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584583257120-D9J12X8ZQVL5OPASY6J1/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 Figure 12. While scanning the internet for vulnerable devices using the HTTP protocol the malware will process the response and search for strings to make sure it is vulnerable before attacking. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589215692805-S6M8YMS25M6HRXF5EVL5/logo-avast.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1 https://www.stratosphereips.org/blog/2020/3/16/cyber-cidersecuritycon-conference-wrap-up monthly 0.5 2020-03-16 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584269771946-AWCH5G43MITMZ5EBJLI0/image-asset.png Stratosphere IPS Research Blog - [Cyber] CiderSecurityCon Conference Wrap Up Veronica presenting about Machete APT malware and how it operated since 2010. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584285317433-JNUUQBX582Y8Q6CEW7IX/Screenshot+2020-03-15+at+16.14.16.png Stratosphere IPS Research Blog - [Cyber] CiderSecurityCon Conference Wrap Up Stefan showing a physical security bypassing technique. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1584288364357-B08A4LZ14XP1LKRY2QQV/image-asset.png Stratosphere IPS Research Blog - [Cyber] CiderSecurityCon Conference Wrap Up https://www.stratosphereips.org/blog/2020/3/9/iot-23-in-depth-ctu-iot-malware-capture-60-1 monthly 0.5 2020-05-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583503509554-D4AB1DX6OPWVVCOPYZ9Q/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 Figure 1. Information about the device is collected and sent to the C&C. This information is collected, mostly, using shell commands. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583503600614-3EJIR0CBG2NJY5B5HQKS/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 Figure 2. The UPDATE command downloads a new shell script to update the malware binary. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583503728165-VT79N5YJNODQK2F545CQ/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 Figure 3. Once connected to a telnet service it will execute a shell script to drop new malware. IP 51.254.145.97 is now defunct and not working. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583503918262-057Y957WEP10LFUZRJY1/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583503990974-P8XZVYNAVLRFM7JPBCJC/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 Figure 4. Maintenance functions are run by the malware to ensure its existence in the device. First it will set DNSs to ensure proper hostname resolution and then clean its presence and environment. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583522090223-7QLQ62RLYJ8XK62SU99S/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 Figure 5. Unknown commands are sent to the malware by the C&C. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583522169435-4WNSP6O72Z3C9P4EPCCP/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 Figure 6. Active communication between the C&C and the malware. It starts executing attacks against different IPs using different network protocols. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583523116415-RUL9ABM45I8XDWJSZGCL/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 Figure 7. UDP packets send in one of the STD flooding attacks. Length is always the same but data changes randomly. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589215611129-702PJRWB6Z6ZMORZ9PFZ/logo-avast.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1 https://www.stratosphereips.org/blog/2020/3/6/swiss-cyber-security-days-conference-wrap-up monthly 0.5 2020-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583503028400-1N6802OI8Z76VPBQ89XC/84697729_759987634407443_4417169393427939328_o.jpg Stratosphere IPS Research Blog - Swiss Cyber Security Days: Conference Wrap-Up María José Erquiaga presenting “The Truth is out there: Hunting malware from an IoT laboratory” https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583845404322-67FRRFX2ZD4JYG63BACS/84681659_760128507726689_3407875439195062272_o.jpg Stratosphere IPS Research Blog - Swiss Cyber Security Days: Conference Wrap-Up Yamila Levalle presenting “Bypassing biometric security controls with 3D printing” https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583845856365-TU7YTAVIIWQZBLTBCELJ/84750710_760128644393342_2850658932106461184_o.jpg Stratosphere IPS Research Blog - Swiss Cyber Security Days: Conference Wrap-Up Salvador Mendoza talking about Payment Systems https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583845997405-EV19LAMFU4X5WUC4UZC7/86462543_759988031074070_7623974293688287232_o.jpg Stratosphere IPS Research Blog - Swiss Cyber Security Days: Conference Wrap-Up Nahuel Grisolia presenting “A journey to the problems on federated authentication and secrets sharing” https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1583846438178-9DMV5I4X5M78F1SGDQOO/85192134_760665754339631_6518685745920606208_o.jpg Stratosphere IPS Research Blog - Swiss Cyber Security Days: Conference Wrap-Up The Wizz presenting the BOTing side of life https://www.stratosphereips.org/blog/2020/2/24/iot-23-in-depth-ctu-iot-malware-capture-8-1 monthly 0.5 2020-05-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582606406916-JGIZRLGRVO4KNAZX8TGL/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582606567030-H3N1HLDJKOD25F7M5D7O/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 Figure 1. Check which SSH server name to use and impersonate the process using prct(). The creator could use Python’s presence on the device to identify which OS is being used. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582606957939-BX54W952XVTON9MGGPE0/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 Figure 2. After imitating the toggle_obj() function the C&C server information can be decrypted. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582607423299-CL60P1GZZR6WPGXMNEOR/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 Figure 3. Usernames and passwords used during the telnet scanning and brute force process. These were deobfuscated using the process previously detailed. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582608399287-QSSOMNBRG81G0JZHED4P/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 Figure 4. Command and Control port and IP address, both hardcoded into the binary. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582608687439-HAO26BGXQPHBEHKR2CU5/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 Figure 5. If command “SC” is toggled ON it will call the functions exploit_worker() and scanner_init(). This will start the exploitation and brute force process. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582609001057-OSHCTLJIK11NW4V5FKQJ/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 Figure 6. For each exploit an IP address is generated and the exploit is sent to that address. This way the malware will keep infecting vulnerable devices. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582608967058-HEV3S5V1DL10IEBH6DRK/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1582641329763-1AZC0Q09OP7NV8UXZVHV/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 Figure 7. Overall, 12334 packets were sent by the malware to the C&C. Half of those were sent to a different, and probably wrong, IP address. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589215526598-URF87F4SYSZ7OSY7JD9W/logo-avast.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1 https://www.stratosphereips.org/blog/2020/2/14/iot-23-in-depth-ctu-iot-malware-capture-3-1 monthly 0.5 2020-05-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581700747626-IQORSUJBK59H1X5VIUZB/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 1. This Muhstik sample has embedded a phrase taken from the anime Bakemonogatari. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581700996400-MBQLQ5Q4F6588BJ1VFL0/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 2. UPX magic number being restored using radare2. Any hex editor is suitable for this type of edition. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581701186867-OUDMOT61T3ODDOATGH79/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 3. After fixing the Muhstik binary the upx tool is able to parse the binary and the unpacking is possible. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581701296287-SSRP1Z3T7TFTABD1V5DP/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 4. IRC commands available in this Muhstik bot to be executed by the botmaster. This is the available command list sent to the botmaster via the HELP command. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581701358261-P0D13VXRBINPQDAMZAJP/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 5. The Muhstik malware creates crontab entries to persist in the device. In this case, the malware will be executed every 5 minutes. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581701999347-HPFSYBII9M52QXW5DG3O/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 6. Files read by the malware while constructing the NICK. This unique nickname is used by the C&C to identify unique instances. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581702079634-G2H0XJ53ORPJGLOT8Q27/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 7. List of default usernames and passwords to be used by the SSH brute force attack. Some of these range from default cloud passwords to common passwords used by end users. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581702330602-XFJ69GPG60H19JVK2S04/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 8. Code executed after a successful SSH connection to another instance. This is executed using the HTTP URL and TFTP host provided to the IRC command by the C&C admin. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581702685447-0SFXRA441TVO2VON8YHW/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 9. Conversation statistics between the infected device and the C&C servers. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581704198918-7J96LESGBPRAMRWSE7V3/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 10. Steps taken by then bot and command sent from the C&C. All IRC sessions have this same structure. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581704899346-0917EFC3TUU3XEHO3KIB/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 Figure 11. The IRC C&C server was full and the bot wasn’t able to connect. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589215439134-TU17EMPENG1VLVXGODSQ/logo-avast.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1 https://www.stratosphereips.org/blog/2020/02/13/zeek-new-irc-feature-extractor-package monthly 0.5 2020-02-22 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580916327621-G47WKMQLEXUWIZG7TGS2/zkg-logo.png Stratosphere IPS Research Blog - Zeek: New IRC Feature Extractor Package . https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580913974416-CVWF8YRT70EV4KSYKOBG/irc_connection.png Stratosphere IPS Research Blog - Zeek: New IRC Feature Extractor Package Figure 1. Example of IRC connection that is defined by source IP address 192.168.0.1, destination IP address 192.168.0.2, and destination port 440. Source port is neglected, and therefore one IRC connection can have multiple source ports. The IP addresses and ports were randomly chosen for demonstration purposes https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581601805352-SVJHCMRTO6QRX056NUO4/periodicity_sketch.png Stratosphere IPS Research Blog - Zeek: New IRC Feature Extractor Package Figure 2. Illustration of how message periodicity is computed. The time differences between messages and FFT output numbers are chosen randomly for demonstration purposes. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580915492749-O7VLXT2RZ0NL2Q240SSG/formula_entropy.gif Stratosphere IPS Research Blog - Zeek: New IRC Feature Extractor Package https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580916548567-GJ62RSG3HDBHZD0BSDKE/irc-rgx.png Stratosphere IPS Research Blog - Zeek: New IRC Feature Extractor Package https://www.stratosphereips.org/blog/2020/2/3/iot-23-in-depth-ctu-iot-malware-capture-9-1 monthly 0.5 2020-05-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580756437183-FDBL0U7HP3Z9BYURPNDB/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 1. Strings coming from DHT’s source code and torrent port. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580756822410-N6JU20XAT52NQ54J9VRF/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 2. NTP host and port to be used by the malware. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580756935968-RES6T55D7TQ1P0YV6YQD/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 3. Request code 0x80045704 is issued via ioctl() to disable the kernel watchdog. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580756995386-4AROIF9J3K65Z4PFKNO5/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 4. Ports hardcoded in the binary and used in firewall rules to block incoming connections. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580757045299-L6MFDSE8P61D6RBAG1U5/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 5. Ports being blocked via iptables and actions taken by the malware to protect the device from further or previous exploitation. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580757393412-7RYGV5L7HFJFDA3SZAB2/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 6. Malware will figure as telnetd when reading the process list. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580757905703-6WVKAZ3XAX4G8N7RF9DJ/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 7. Node response to malware DHT ping query. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580758085752-DJCQG1N5I3G4UMXVE619/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 8. Node list result of the infohash search by malware. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580758229083-SX5YQL7QE6PA6RMTKCB1/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 9. announce_peer query specifying the torrent’s info_hash and port to be used during the download. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580758435668-O8OMO5NTSK39XZP3YRAE/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 10. Overall network statistics of the complete traffic capture of Scenario 18. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580758560410-4QKCU79HIAYC64SZG2MJ/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 11. The attack to port 81/TCP starts right after the last uTP packet is delivered. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580758700753-5300V65CW6W0653QTOTS/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 12. MikroTik device compromised by the executed malware over Telnet. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580759208995-1N6V26PPQ3ZPSRXH4GPF/image.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 Figure 13. The image shows the device being attacked mid-infection. Multiple IPs bruteforcing credentials via Telnet while the malware was logged into the device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589215312076-51KQDQG6BXDJVLOZ05LH/logo-avast.png Stratosphere IPS Research Blog - IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1 https://www.stratosphereips.org/blog/2020/1/31/writing-a-slips-module monthly 0.5 2022-05-04 https://www.stratosphereips.org/blog/2020/1/22/aposemat-iot-23-a-labeled-dataset-with-malicious-and-benign-iot-network-traffic monthly 0.5 2021-05-05 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579696005489-PB1NCQ6SCC4ZPYMCLFLR/IOT23.jpg Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579693825961-KO6ZIU3F6697PCFIMNER/IMG_3452.jpg Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Image 1 - Early set up where the malware executions took place. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579633202246-ID0HXDJ7FKABJNCJ7XBK/image-asset.png Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Image 2: Amazon Echo device https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579633291027-IJGWXH9DN5FOGTMXN2Y6/image-asset.png Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Image 3: Somfy Smart Door Lock device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579633249512-MFFVV85HUF28EE6SNJQI/image-asset.png Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Image 4: Philips Hue device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579642900562-L9I4GVSXSZFF2GMIN8A9/18-40-55-image-asset.png Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Table 1: Summary of the Malicious IoT Scenarios https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579643032781-W3KBEEA7XQM9R3KXY1B3/18-43-16-image-asset.png Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Table 2: Breakdown of Application Layer Protocols as detected by Zeek on the Malicious Scenarios https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579643142546-2X45BTHBF6DLNRVTI24F/Screenshot_20200121_174227.jpg Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Table 3: Summary of the Benign scenarios. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579643198498-FG0QSHQ5QQR0JIIWA71E/Screenshot_20200121_174544.jpg Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Table 4: Breakdown of Application Layer Protocols as detected by Zeek on the Benign Scenarios. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579643740646-7R5TZNV9COJ7ZU3P9QLK/18-54-31-image-asset.png Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic Table 6: Labels distribution of all IoT-23 labeled flows in log scale. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620231132564-E585HMF07KECOL2VV4QO/avast-logo.png Stratosphere IPS Research Blog - Aposemat IoT-23: A Labeled Dataset With Malicious And Benign IoT Network Traffic https://www.stratosphereips.org/blog/2020/1/1/aposemat-iot-honeypots-2019-in-review monthly 0.5 2020-01-01 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1577892266458-CKGWYAC1MR0H66RLRIH8/Screenshot+2020-01-01+at+15.32.59.png Stratosphere IPS Research Blog - Aposemat IoT Honeypots: 2019 In Review Our IoT honeypots were attacked from all over the world. This map shows where the attacks originated from. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1577892291153-AE90IZ90KUHLR4TQ08FJ/image-asset.png Stratosphere IPS Research Blog - Aposemat IoT Honeypots: 2019 In Review Our monitoring shows that out of the 14M attacks, 10M were successful connections to our honeypots. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1577892305986-SQIPSGUZ9BZ8P6VYEOIA/image-asset.png Stratosphere IPS Research Blog - Aposemat IoT Honeypots: 2019 In Review Most of the attacks seen nowadays are automated, this is reflected in the duration of connections and data transfer. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1577892355327-39KAB61TVSCIS8KZ5BPO/Screenshot%2B2020-01-01%2Bat%2B15.57.21.jpg Stratosphere IPS Research Blog - Aposemat IoT Honeypots: 2019 In Review Top attacking countries in 2019. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1577892407703-T9ZVOQQIFDQW9DZ9VLHR/image-asset.jpeg Stratosphere IPS Research Blog - Aposemat IoT Honeypots: 2019 In Review The list of attacking IPs. All connections (left) and only established connections (right). https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1577892426673-UQ941KCI7M94NUAAISFZ/Screenshot+2020-01-01+at+16.06.06.png Stratosphere IPS Research Blog - Aposemat IoT Honeypots: 2019 In Review https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1577893978709-85TBC81DFAE8OAWNMAFC/Screenshot+2020-01-01+at+16.51.06.png Stratosphere IPS Research Blog - Aposemat IoT Honeypots: 2019 In Review https://www.stratosphereips.org/blog/introducing-kalipso-the-gui-of-slips monthly 0.5 2022-05-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576501541579-R79HNXV7RREUE7WVTSPJ/image3.png Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Redis as the interaction between Slips and Kalipso. Redis structures used in Slips. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576516406615-EEZ9WXVBVSCKDTYT2XNR/image1.png Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure 1: The initial state of Kalipso. The widget profile tree is filled with the profiles. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576516472971-8DF2T8ZIMJ6HKS9GOHRA/image4.png Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure2 : The timeline of the time window 1 in the profile of IP 172.16.2.197. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576516607654-J26OVRVLIOSS70SR3LEL/tree_timewindow1_gif.gif Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure 3: The timeline for the time window 1 in the profile of IP 172.16.2.197. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576516687339-LUN6T1DV0OLGZFUFCUNJ/timeline.gif Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure 4: The timeline for the time window 1 in the profile of IP 172.16.2.197 and information about destination IP addresses in the upper widget. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576516964495-YRJMH0G9CF50M43PAQ7K/dns_ips.jpg Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure 5. The timeline with DNS request and replies for the time window 1 in the profile of IP 172.16.2.197. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576517422084-KXYS0OMC8IN1ETQUUNLA/dns.gif Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure 6. The timeline with DNS requests for the time window 1 in the profile of IP 172.16.2.197. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576518253513-20KIDM0XKL2XV1AHN5IC/image5.png Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure 7. The map of geolocations of all the destinations IP addresses from the timeline for the time window 1 in the profile of IP 172.16.2.197. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576519573187-MUESXWVAHUJMPFLIHIKW/outtuple.gif Stratosphere IPS Research Blog - Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS Figure 7. Table with Out Tuples from the timeline for the time window 1 in the profile of IP 172.16.2.197. https://www.stratosphereips.org/blog/2019/11/5/attacker-ip-prioritizer-program monthly 0.5 2024-10-30 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1573203072942-4T25ZA3SKLAYBJKBLCMH/Screenshot_2019-11-08+AIP-Program+Splunk+7+2+6.png Stratosphere IPS Research Blog - Attacker IP Prioritizer Program Figure 1: The output of the Splunk sorting function https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1573734582953-W9CPGDIJVHMMIQMHORVV/CodeCogsEqn.gif Stratosphere IPS Research Blog - Attacker IP Prioritizer Program Figure 2: Score Function https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1572947960688-39UG1U061MZGMBYWMIN2/Screenshot_2019-10-17+plot+1+-+%28x+%28x+%2B+30%29%29+from+0+to+60+-+Wolfram+Alpha.png Stratosphere IPS Research Blog - Attacker IP Prioritizer Program the x-axis is the percentage of the original score, y-axis is days https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1572947994495-19UUNHN10W3DGGSFAB53/Screenshot_2019-10-17+plot+x%5E%281+2%29+from+0+to+100+-+Wolfram+Alpha.png Stratosphere IPS Research Blog - Attacker IP Prioritizer Program x-axis is score, y-axis is days https://www.stratosphereips.org/blog/2019/10/17/notes-from-the-lab-sudden-increase-of-traffic-to-port-445 monthly 0.5 2019-10-18 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571312523561-2B1J98YCIXMQ9IM3AZD2/Screenshot+2019-10-17+at+13.41.49.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571314292936-IYWBM02QOYBS7F2OFVDZ/Screenshot+2019-10-17+at+14.08.40.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 Figure 2 - Number of connections to our SMB Honeypot (1 device) from June 1st to October 1st. Source: Aposemat Project. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571314928189-48DA3OVY1SVPCJYBKAIX/Screenshot+2019-10-17+at+14.21.46.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 Figure 3 - Number of attacking IPs to our SMB Honeypot (1 device) from June 1st to October 1st. Source: Aposemat Project. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571318751631-3QANU9ZAO9N21WH5IC6X/image-asset.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 Figure 4: The number of connections spiked to more than 50000 on October 15th. Source: Aposemat Project. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571319172275-EI5HAC9G59I1HJA944L0/Screenshot+2019-10-17+at+15.27.02.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 Figure 5 - The number of attacking IPs to the SMB Honeypot (1 device) during the days of the spike raised but not considerably. Source: Aposemat Project. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571320549657-30MCDJN0JJFI20XS4IGI/Screenshot+2019-10-17+at+15.53.00.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 Figure 6 - Number of connections per attacking IP in the last 7 days. Source: Aposemat Project. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571320559233-3KA6LT9XUAOV5I3TIK3D/Screenshot+2019-10-17+at+15.53.50.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 Figure 7 - Number of connections per attacking IP in the last 30 days. Source: Aposemat Project. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571322924318-UYCO001GHBQMQ3VYXOSN/Screenshot+2019-10-17+at+16.33.45.png Stratosphere IPS Research Blog - Notes From The Lab: Sudden Increase of Traffic to Port 445 Figure 8 - Geolocation map of the attacking IPs listed above. Source: Aposemat Project. https://www.stratosphereips.org/blog/2019/10/13/paper-a-study-of-machete-cyber-espionage-operations-in-latin-america monthly 0.5 2019-10-13 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1567329778791-5XDY7JGX31V6DI5TGN55/VB2019-London-withdate-325w.jpg Stratosphere IPS Research Blog - Paper: A Study of Machete Cyber Espionage Operations in Latin America https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1567350456862-3JS7EQUPGTWN9SL7AW1M/Screenshot+2019-09-01+at+17.06.52.png Stratosphere IPS Research Blog - Paper: A Study of Machete Cyber Espionage Operations in Latin America https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1570980225535-I55I1A53X6519WBK0BMJ/IMG_1558.JPG Stratosphere IPS Research Blog - Paper: A Study of Machete Cyber Espionage Operations in Latin America Veronica Valeros (left) and Maria Rigaki (right) presenting the research on Machete at the Virus Bulletin Conference in London. https://www.stratosphereips.org/blog/2019/10/8/hexa-payload-decoder-tool monthly 0.5 2019-10-08 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1570456542650-R4DM5SB5MA5H6YC8DXKB/Hexa+Payload+Decoder+-+1.png Stratosphere IPS Research Blog - Hexa Payload Decoder Tool: A Tool To Automatically Extract and Decode Hex Data in C&C Servers The Hexa Payload Decoder tool is able to process a pcap file and output any identified encoded strings, decoded and translated to English. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1570457214460-JEDBP3QSLSM1DYK46AZ7/Hexa+Payload+Decoder+-+2.png Stratosphere IPS Research Blog - Hexa Payload Decoder Tool: A Tool To Automatically Extract and Decode Hex Data in C&C Servers Figure 2: Suspicious data finding at Mirai port 4441 in Wireshark and its TCP Stream. The decoded hexadecimal payload cant be read with Wireshark. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1570457231804-BFK6OA7VT6KME6UU3O9X/Hexa+Payload+Decoder+-+3.png Stratosphere IPS Research Blog - Hexa Payload Decoder Tool: A Tool To Automatically Extract and Decode Hex Data in C&C Servers Figure 3: Running the Hexadecimal Decoding and Translating tool with the suspicious port 4441 TCP Stream pcap file. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1570457249479-7R5PEHIZG2YY4KART6BZ/Hexa+Payload+Decoder+-+4.png Stratosphere IPS Research Blog - Hexa Payload Decoder Tool: A Tool To Automatically Extract and Decode Hex Data in C&C Servers Figure 4: Checking the results of the analysis done. The word user in Russian can be seen after the decoding and translating process. https://www.stratosphereips.org/blog/2019/9/20/upcoming-talk-geost-botnet-the-discovery-story-of-a-new-android-banking-trojan-from-an-opsec-error monthly 0.5 2020-02-06 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1568995780602-ECLCQ6AK6IUJFUWL8U9D/Screen+Shot+2019-09-20+at+13.08.00.png Stratosphere IPS Research Blog - Upcoming Talk: Geost botnet. The discovery story of a new Android banking trojan from an OpSec error https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1568995740403-PDXSVCUURXAX4M0PB6BY/Screen+Shot+2019-09-20+at+13.08.18.png Stratosphere IPS Research Blog - Upcoming Talk: Geost botnet. The discovery story of a new Android banking trojan from an OpSec error Geost botnet https://www.stratosphereips.org/blog/2019/9/2/upcoming-talk-a-study-of-machete-cyber-espionage-operations-in-latin-america monthly 0.5 2019-09-02 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1567329778791-5XDY7JGX31V6DI5TGN55/VB2019-London-withdate-325w.jpg Stratosphere IPS Research Blog - Upcoming Talk: A Study of Machete Cyber Espionage Operations in Latin America https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1567350456862-3JS7EQUPGTWN9SL7AW1M/Screenshot+2019-09-01+at+17.06.52.png Stratosphere IPS Research Blog - Upcoming Talk: A Study of Machete Cyber Espionage Operations in Latin America https://www.stratosphereips.org/blog/2019/8/11/defcon-2019-beyond-sandboxes-how-to-execute-iot-malware-and-analyze-its-evolution monthly 0.5 2019-08-16 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1565882728136-GQLQWN9D7MOBLUOWUXVR/EBtVzdwXkAAswnB.jpeg Stratosphere IPS Research Blog - DEFCON 2019. Beyond Sandboxes. How to Execute IoT Malware and Analyze its Evolution Packet Hacking Village at Defcon 2019 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1565882875691-IRPJKUMKD9SBSKSJ6E25/download.jpeg Stratosphere IPS Research Blog - DEFCON 2019. Beyond Sandboxes. How to Execute IoT Malware and Analyze its Evolution Our talk in the Packet Hacking Village banner https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1565882626096-5DLTLR440E5F42H05KUU/Screen+Shot+2019-08-15+at+17.10.30.png Stratosphere IPS Research Blog - DEFCON 2019. Beyond Sandboxes. How to Execute IoT Malware and Analyze its Evolution Defcon 2019 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1565882827521-72OELNX3RJI1PUSEWBUW/IMG_20190808_173407366.jpg Stratosphere IPS Research Blog - DEFCON 2019. Beyond Sandboxes. How to Execute IoT Malware and Analyze its Evolution Entrance to the conference at Paris hotel https://www.stratosphereips.org/blog/2019/8/15/project-ludus monthly 0.5 2019-08-15 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1562941184524-U80C9VSR0NXM8QTJ8J18/ludus_workflow.jpg Stratosphere IPS Research Blog - Project Ludus - Smart Honeypot Manager for Collaborative Defense Ludus overview https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1562940888222-X1D77SDB0631XINZQHDT/ludus_dashboard1.png Stratosphere IPS Research Blog - Project Ludus - Smart Honeypot Manager for Collaborative Defense https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1562940915019-6NMWAYNFH15NC7FRGTPI/ludus_dashboard2.jpg Stratosphere IPS Research Blog - Project Ludus - Smart Honeypot Manager for Collaborative Defense https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1562941409144-VD5MJDLUNJWJ7UZEDJRI/kibana_dashboard.jpg Stratosphere IPS Research Blog - Project Ludus - Smart Honeypot Manager for Collaborative Defense Example of public dashboard in Kibana https://www.stratosphereips.org/blog/2019/8/6/iot-honeypot-traffic-analysis-series-analysis-of-edimax-ic-7113w-part-4 monthly 0.5 2019-08-06 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563868734433-L71O17YRPP8BN1ZT6PWP/Screenshot+2019-07-23+at+09.58.25.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563869337244-SGWQZ3UP58AQ1PONNG0S/Screenshot+2019-07-23+at+10.07.44.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563869708085-FTXB0SDJN6NVVDY2306C/Screenshot+2019-07-23+at+10.14.45.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563870132399-E8BFR4JYRZWKQBSW1H3F/Screenshot+2019-07-23+at+10.16.50+copy.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563870371616-E2P78ZSOSXIBSAMV651B/Screenshot+2019-07-23+at+10.25.31.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563871005770-ZLZ7UDVKQXPV3Y9ATEFN/image-asset.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563871239421-PNDF8MI1U8XC4EWLMU85/Screenshot+2019-07-23+at+10.39.45.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563872408861-HH7VDTYOW5C29Q5FZNH5/image-asset.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1563872625018-I6Q903P1YNWYMQHE4BB6/avast_logo_small.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 4 https://www.stratosphereips.org/blog/2019/7/10/amparo-certunlp-workshop monthly 0.5 2019-07-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1560346589141-8XS98WAOFE39K0AQHXG4/fotoapertura2.jpeg Stratosphere IPS Research Blog - Summary of the Amparo-CERTUNLP Workshop in Neuquén, Argentina Alejandra Di Croco (Secretary of Modernization of the Neuquén Government, Graciela Martinez (WARP Coordinator - LACNIC), Nicolás Macia ( CERTUNLP Coordinator), Paula Venosa (CERTUNLP Coordinator) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1560346576704-U8U6KY2N67C3FU9VJPE2/fotospublico.jpeg Stratosphere IPS Research Blog - Summary of the Amparo-CERTUNLP Workshop in Neuquén, Argentina https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1560345669186-3S992W2BDYFEUXNJ5C4M/fotocierre.jpeg Stratosphere IPS Research Blog - Summary of the Amparo-CERTUNLP Workshop in Neuquén, Argentina https://www.stratosphereips.org/blog/2019/6/12/first-workshop-on-attackers-and-cyber-crime-operations-wacco-2019 monthly 0.5 2019-06-24 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1560340665081-95IHA3RKVWSBWZL5I1O8/Screenshot+2019-06-12+at+13.55.00.png Stratosphere IPS Research Blog - First Workshop on Attackers and Cyber-Crime Operations (WACCO) 2019 Paper sessions at WACCO are organized by topics: cybercrime measurements, cybercrime operations, and offenders and their ecosystem. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1561384960388-CVRZRGQ1DV9G3NZ51P1Y/Screenshot%2B2019-06-24%2Bat%2B15.58.47.jpg Stratosphere IPS Research Blog - First Workshop on Attackers and Cyber-Crime Operations (WACCO) 2019 Sebastian Garcia, Anna Shirokova, and Maria Jose Erquiaga presenting their poster on “Geost: Operational Security Failures of a New Android Banking Threat”. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1561384939158-RXUS7FW365R27JGNVO1S/Wacco.jpg Stratosphere IPS Research Blog - First Workshop on Attackers and Cyber-Crime Operations (WACCO) 2019 Veronica Valeros presenting the paper “Machete: Dissecting the Operations of a Cyber Espionage Group in Latin America”. https://www.stratosphereips.org/blog/2019/6/2/getting-started-to-splunk monthly 0.5 2019-11-06 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559479831810-6RCHN24UW3ZMCRVVXRZY/splunk.png Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz Overview of Splunk data ingestion capabilities and core functionality. Source: https://www.edureka.co/blog/splunk-tutorial https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559480804045-55AH98G00KTER0TBR1RL/splunk-1.png Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz Search & Reporting view in the newly created Splunk instance. The basics elements highlighted in the image are: 1. Main menu to administer the instance, 2. Search bar, 3. Time range picker, and 4. Search mode menu. A more detailed and granular explanation can be found in Splunk Docs [2]. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559482747103-PM3CYVUD2WQ55CZLR118/splunk-2.png Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz Splunk is able to interpret a wide variety of data formats. In this case, the file 2018-05-03_win11.binetflow is being uploaded and the Source type is specified manually as CSV. The columns are then recognized and parsed automatically. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559483901875-R3KOS0AKYYHCJL9M3KM9/splunk-3.png Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz Search & Reporting view after the data was successfully uploaded and the fields were configured. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559485091066-JZSVKEWFFUPJLNCEVNYC/splunk-4.png Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559485435998-I7CTC6PE5Q4X1YEFLK9K/splunk-5.png Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559485628142-AZ5JDTK3N5J56E1CMY42/splunk-6.png Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1559486157861-QE6Z42YWQBCVZSY3IC2L/splunk-6.jpeg Stratosphere IPS Research Blog - Getting Started With Splunk: Basic Searching & Data Viz A monitoring dashboard created for one of the IoT honeypots of the Stratosphere Aposemat Project. https://www.stratosphereips.org/blog/2019/5/29/iot-honeypot-traffic-analysis-series-analysis-of-edimax-ic-7113w-part-3-kee57 monthly 0.5 2019-05-29 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156853355-7MN00PB1SNXMQ56RMQBU/Screen+Shot+2019-05-06+at+17.28.14.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557155636040-GCVYGZ7S8EOUQDVIFCXP/02.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557155855890-3D2NGPK61B682J9MXJRM/09.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156812861-ZGOA4G5376GAZ8PJWCT6/Screen+Shot+2019-05-06+at+17.28.31.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156035939-5I3FV5T2P3QH8LK6Z3LI/04.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156088973-Q2B6VX6A2580Q3EOXDQF/05.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156139722-NBGM1IDR3KOG9QQFEMQ4/06.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156160726-243KG88DEBG87L9GY12Z/07.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156834148-RDPXMVEGGJBEYY007JVN/image-asset.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557156460527-4O2UYMOYF3TXTH8JROW7/avast_logo_small.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W, part 3 https://www.stratosphereips.org/blog/2019/5/26/owasp-cz-2019-conference-wrap-up monthly 0.5 2019-05-26 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558865752160-9H0DDQWRLX6OXWQ2JKXV/workshop-morning-vero-sebas.jpg Stratosphere IPS Research Blog - OWASP CZ 2019: Conference Wrap-Up Sebastian Garcia and Veronica Valeros giving the workshop ‘Getting Your Hands Dirty: IoT Botnet Analysis’ at OWASP Czech Chapter Meeting, May 2019. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558865676461-SCY3YSKHRZ34NDJPBESL/IMG_1259-1.jpg Stratosphere IPS Research Blog - OWASP CZ 2019: Conference Wrap-Up Simona Musilova and Sebastian Garcia presenting “Does Your IoT expose You? Honeypots, Attacks and Decryption in an Edimax Camera” at OWASP Czech Chapter Meeting, May 2019. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558866690443-A5OVEX34ELPCZJ0S49FW/IMG_1276-1.jpg Stratosphere IPS Research Blog - OWASP CZ 2019: Conference Wrap-Up Jan Fajfer and Kamila Babayeva presenting “We Know Where You Are: How Most Mobile Applications Jeopardize Your Security“ at OWASP Czech Chapter Meeting, May 2019. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558867756770-38Z375JYLQ7F2WG1BXIG/IMG_1281.jpg Stratosphere IPS Research Blog - OWASP CZ 2019: Conference Wrap-Up Anna Shirokova and Sebastian Garcia presenting “Cybercriminal Activities Managing a New Android Botnet” at OWASP Czech Chapter Meeting, May 2019. https://www.stratosphereips.org/blog/2019/3/21/malware-capture-analysis-possible-coin-miner monthly 0.5 2019-05-27 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1557528202630-A9ZRS941WVD3B702QJKO/avast_logo_small.png Stratosphere IPS Research Blog - Aposemat IoT Malware Analysis, an X-Bash infection https://www.stratosphereips.org/blog/2019/5/17/iot-malware-analysis-series-a-mirai-variant-in-ctu-iot-malware-capture-49-1 monthly 0.5 2019-05-27 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558099931743-4B18O7IBX37D0VDFR9AD/blob.png Stratosphere IPS Research Blog - IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558101059703-62JAP17XB2OJBOKS122W/Screenshot+2019-05-17+at+15.50.46.png Stratosphere IPS Research Blog - IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558104168360-T04KK3C9YKLSAV7LUK5M/blob.png Stratosphere IPS Research Blog - IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558106576038-T12H0PC0E83FAN1MO924/image.jpg.png Stratosphere IPS Research Blog - IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558106636318-7HP6DKGTDHDVXY5BXWYZ/image.jpg2.png Stratosphere IPS Research Blog - IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558106530978-II79W6JBL8ZVTOVOOVVX/blob.png Stratosphere IPS Research Blog - IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558333757018-44YFU55KX6Q1JAG5LPO0/avast-logo.png Stratosphere IPS Research Blog - IoT Malware Analysis Series. An IoT malware dropper with custom C&C channel exploiting HNAP https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet monthly 0.5 2019-08-22 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1556298943172-OYYU05JOED70WOT6031G/Screenshot+2019-04-20+at+21.09.08.png Stratosphere IPS Research Blog - Analysis of an IRC based Botnet IRC Packet reporting TCP Flood Against 66.67.61.168 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1566495377223-1C3YKCAEJUAPDLACCTQN/Screen+Shot+2019-08-22+at+14.33.15.png Stratosphere IPS Research Blog - Analysis of an IRC based Botnet Conversation between the botmasters https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1556305098712-KFTM9KF1JL5YKWMG6BIE/avast_logo_small.png Stratosphere IPS Research Blog - Analysis of an IRC based Botnet https://www.stratosphereips.org/blog/2019/2/15/iot-honeypot-traffic-analysis-series monthly 0.5 2019-05-24 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550244306685-XSGU4JGOO6KR1FOA2DCR/zgrab.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550244462701-NB43Y6MK9D63VE8OQH77/gpon.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550244563621-TWTO3R7CAFQ2SAHCERBZ/image-asset.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550246321433-UGE2P1TZZKEVLPPJMUT0/mpa.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550244715530-G53L0WTI5WUT2ODX3VKW/mpa-win-server.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550245057808-2HLC7DCVZ340OGZR5GTW/cname.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550489606786-SQUCQ96YVWUXK7KL04B0/normal1.jpg Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550489632548-Q4VPA92098YV7ZTVACN9/normal2.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550489678796-X3Z9OHIWTO7HXUGTQAGY/normal3.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550245246198-LAT7GY1B05AHIA0CNPLU/normal4.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550245475226-TVRQ2AYHPXBLWS1HAOGP/normal5.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550245492028-PJ90HHW1JGSICOQC0S4U/normal6.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550245867515-U8V7X39YCX8DFQ4IYLMG/avast_logo_small.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W https://www.stratosphereips.org/blog/2019/2/17/what-do-we-know-about-quasar-rat-a-review monthly 0.5 2019-02-17 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550402226663-2NXIELKMO7SF0M5TKXGH/quasar-1-credit-to-n0where-net.png Stratosphere IPS Research Blog - What do we know about Quasar RAT? A review. Quasar RAT UI showing a list of infected victims, and some of the capabilities of the RAT. Credits: https://n0where.net/free-open-source-remote-administration-tool-for-windows-quasarrat https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550414643689-95FV4E8JIH1A1WKEURPP/quasar-rat-code-activity.png Stratosphere IPS Research Blog - What do we know about Quasar RAT? A review. Code Frequency Quasar RAT since its origin in 2014. Source: https://github.com/quasar/QuasarRAT/ https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550422375966-YYIXBS5GRZUDHIOAG34A/Screenshot+2019-02-17+at+17.51.58.png Stratosphere IPS Research Blog - What do we know about Quasar RAT? A review. A fork [23] from Quasar RAT is accepting donations to help the project move forward. Source: https://www.blockchain.com/btc/address/17eAafhEYnxmnj2nQ92tDFdDzATL27gcj https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550421732211-49THTKBGCHHXQ69T0L29/quasar-traffic.png Stratosphere IPS Research Blog - What do we know about Quasar RAT? A review. Network traffic excerpt from the US CERT report [16]. “Quasar uses the first 4 bytes of the TCP payload to track the payload’s total size in little-endian format.”, and this can be used to identify Quasar in the network. Source: https://www.us-cert.gov/ncas/analysis-reports/AR18-352A https://www.stratosphereips.org/blog/2019/2/6/iot-honeypot-traffic-analysis-series-analysis-of-edimax-ic-7113w-capture-ctu-honeypot-2-155 monthly 0.5 2019-05-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549457683268-2I775K80KDFFMOV0VWVN/pasted+image+0.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549458455431-RE8OG7GLYKZS1IYIVZPD/02.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549458477155-884JTZBFLRFWFRUBID6B/03.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549458496263-7WTBFPQU4DMN32EJWTJM/04.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549458511804-5DK8R4301K5C4CIXSY77/image-asset.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549458533604-BIN499RJ4TH23637XTNL/06.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549458729319-73IZ3FTPFU9IW058NYX4/07.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549458600200-DMPJJG0ZMO47KT1A6RL9/08.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549459057592-D0H7TDGN0W0IO7J55ZR5/Screenshot+2019-02-06+at+11.30.18.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549459105934-JOAYOVG8Q76U7F95FOMY/Screenshot+2019-02-06+at+11.14.47.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1549459129925-8CYVVVNN6I9WRQH88J9V/Screenshot+2019-02-06+at+13.04.45.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1550050862450-U7S78T53C9SUYJ3Q7ID8/avast_logo_small.png Stratosphere IPS Research Blog - IoT Honeypot Traffic Analysis Series. Analysis of Edimax IC-7113W https://www.stratosphereips.org/blog/2018/11/19/blackhoodie-bootcamp-4-wrap-up-berlin-2018 monthly 0.5 2018-11-19 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1542633821926-1AT3QZG638QIYOQ7LAUJ/image1.jpeg Stratosphere IPS Research Blog - BlackHoodie Bootcamp #4 Wrap Up - Berlin 2018 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1542654768952-8WO1QW7QDNW0TN7FD1Z3/Screenshot+2018-11-19+at+20.12.31.png Stratosphere IPS Research Blog - BlackHoodie Bootcamp #4 Wrap Up - Berlin 2018 BlackHoodie 2018 - Conference Schedule https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1542637560162-Q7KANJ17JC7B17VT3QHP/IMG_7579.JPG Stratosphere IPS Research Blog - BlackHoodie Bootcamp #4 Wrap Up - Berlin 2018 Veronica presenting “Linux servers under siege” at BlackHoodie 2018. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1542637589490-6KTXF857HP2U9HG9FBSB/IMG_7582.JPG Stratosphere IPS Research Blog - BlackHoodie Bootcamp #4 Wrap Up - Berlin 2018 Maria presenting “Arming Malware with GANs” at BlackHoodie 2018. https://www.stratosphereips.org/blog/2018/10/6/live-class-machine-learning-for-network-security monthly 0.5 2018-10-06 https://www.stratosphereips.org/blog/2018/9/19/solution-for-the-too-much-noise-ai-village-ctf-challenge monthly 0.5 2018-09-24 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1537342427916-TQHO073IK5OMRP1E36EX/secret_message.png Stratosphere IPS Research Blog - Creating "Too much noise" in DEFCON AI village CTF challenge Challenge image https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1537446877710-U9AV3F8BFM9H84S34J38/clean_image.png Stratosphere IPS Research Blog - Creating "Too much noise" in DEFCON AI village CTF challenge Clean image https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1537448860851-806WDOA4BP9WGBJB9QV4/Autoencoder_structure.png Stratosphere IPS Research Blog - Creating "Too much noise" in DEFCON AI village CTF challenge Autoencoder structure (reproduced from wikipedia) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1537449162891-FO720HXBG8JI5IZKFDOF/example_digits.png Stratosphere IPS Research Blog - Creating "Too much noise" in DEFCON AI village CTF challenge https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1537342539659-6V70KXUJBZLCUA37D0VD/asolution.png Stratosphere IPS Research Blog - Creating "Too much noise" in DEFCON AI village CTF challenge A solution https://www.stratosphereips.org/blog/2018/9/7/what-do-we-know-about-nanocore-rat-a-review monthly 0.5 2019-02-17 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1536331827721-E7FV6SJ84ECJYFV4R7RP/Screen+Shot+2018-09-07+at+16.49.54.png Stratosphere IPS Research Blog - What do we know about NanoCore RAT? A review. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1536327567728-YFOJ0SCOUH8UYRCL3SVQ/Screen+Shot+2018-09-07+at+15.35.51.png Stratosphere IPS Research Blog - What do we know about NanoCore RAT? A review. NanoCore website promotes the the tool as reliable, affordable, with 24/7 support. Reference: https://web.archive.org/web/20160815000000*/nanocore.io https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1536327857117-4BVG4XDPP1QNE8BCQLRK/VtUlKWy.png Stratosphere IPS Research Blog - What do we know about NanoCore RAT? A review. https://www.stratosphereips.org/blog/2018/8/26/notpink-the-first-security-conference-given-by-women-in-argentina monthly 0.5 2018-09-07 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1536021726342-BWYQIJTAQAHRYT8AGBJZ/WhatsApp+Image+2018-08-25+at+8.56.40+AM.jpeg Stratosphere IPS Research Blog - NotPink: The first security conference given by women in Argentina Almuerzo con speakers y sponsors. Sponsoreado por Deloitte. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1536021946154-5CM7Q3S47V2N5WGX2OZK/WhatsApp+Image+2018-08-26+at+3.08.59+PM.jpeg Stratosphere IPS Research Blog - NotPink: The first security conference given by women in Argentina https://www.stratosphereips.org/blog/2018/8/1/1st-transylvanian-machine-learning-summer-school monthly 0.5 2018-08-03 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1533130460411-CPLV36VXRD8NFIKHN5QB/0043+TMLSS+Day+1.JPG Stratosphere IPS Research Blog - My first summer school https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1533130723346-RUPR5RI0HOUR3FXZU3RT/79TMLSS+Day+3.jpg Stratosphere IPS Research Blog - My first summer school Group photo https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1533130817619-B3XYK4SUF2W3IUHPTJGF/95TMLSS+Day+3.jpg Stratosphere IPS Research Blog - My first summer school Best poster awards (yes, I got one too :) ) https://www.stratosphereips.org/blog/2018/7/11/5-things-i-learned-at-my-first-two-cybersecurity-conferences-radhika-gupta monthly 0.5 2018-07-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1531315909680-9VQRMFPGQZIMC5KDFCF5/0.jpeg Stratosphere IPS Research Blog - 5 Things I Learned at my First Two Cybersecurity Conferences https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1531317180681-ER7TOVE7LYJ18DX36SEQ/0+%281%29.jpeg Stratosphere IPS Research Blog - 5 Things I Learned at my First Two Cybersecurity Conferences https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1531317212841-2X90JWF63D08W30QZ6W9/0+%282%29.jpeg Stratosphere IPS Research Blog - 5 Things I Learned at my First Two Cybersecurity Conferences https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1531317274629-A0W1DTGUNBTR5UG9USUK/0.jpeg Stratosphere IPS Research Blog - 5 Things I Learned at my First Two Cybersecurity Conferences https://www.stratosphereips.org/blog/2018/6/22/reset-2018-conference-wrap-up monthly 0.5 2018-06-22 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529432687437-OE4IOGXBQ3OT71VPLCVL/IMG-4901.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529434302838-BTOTWLGV9TWS8POHVIR8/Adizah+Tejani+-+1.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up Adizah Tejani on her talk about Open Banking Technology. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529434419645-1FS4AVD8BJ72U322J8YC/IMG_4907.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up "So this is almost where we are at the moment [with open banking]. Which doesn't fill the room with confidence..." - Adizah Tejani https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529668710562-6KC2BR153KOI7YIHC33L/image-asset.jpeg Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up Step 1) in becoming a 'hacker' is to determine your role in the cyber crime economy. - Rashmi Knowles https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529668870951-EOD4S9IKYOZD7T1FFWK2/wendy-nather.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up Wendy Nather, ' Denial of Trust: a new attack', RESET 2018. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529672116699-HDI8XZQ8HJ3H4T9SH2G9/rebekah-brown.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up The five stages of change, by Rebekah Brown. Photo credit: Zoë Rose. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529673704001-OFBHQ2VH3QF0WI061RJ6/IMG_4921.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529676400163-09X01TGICMR17AM069SV/IMG_4902.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529676412678-FAK2A48JBOPBNXYGJ59U/IMG_4903.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529676444421-J3HU1V04SG2C6BN2NOLO/IMG_4909.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529676484969-LBZ076MHUK16D26ALF7I/IMG_4912.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529676472422-Z34PFBCKAU4EG06WNGGY/IMG_4917.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1529676507664-M0KL2U4I3FL3IYW7RE58/IMG_4919.JPG Stratosphere IPS Research Blog - RESET 2018 Conference Wrap-Up https://www.stratosphereips.org/blog/2018/5/29/high-level-overview-of-a-malicious-perl-bot monthly 0.5 2018-05-31 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1527182650760-D8WU4UPN584LT4KI02J8/Screen+Shot+2018-05-24+at+19.23.24.png Stratosphere IPS Research Blog - High Level Overview of a Malicious Perl Bot https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1527183428431-2FAB4R06LCF15X9D3T91/image-asset.png Stratosphere IPS Research Blog - High Level Overview of a Malicious Perl Bot https://www.stratosphereips.org/blog/2018/4/11/visit-to-the-ngo-market-2018-the-stories-of-civil-society monthly 0.5 2018-04-11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1523450073835-MWMNBGHXGT2IASIXAIEC/NGO-Market-2018-1.JPG Stratosphere IPS Research Blog - Visit to the NGO Market 2018: The Stories of Civil Society https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1523450930527-TETOP2F486F2NX6M1H0Z/NGO-Market-2018-2.JPG Stratosphere IPS Research Blog - Visit to the NGO Market 2018: The Stories of Civil Society NGO Market 2018: The Stories of Civil Society @ Forum Karlín, Prague, Czech Republic https://www.stratosphereips.org/blog/2018/3/29/how-to-create-a-small-lab-at-home-with-a-raspberry-pi-to-execute-malware monthly 0.5 2018-08-03 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1522317362397-IBIS28XYV7232KYRDA4C/raspberrypi_1240376.jpg Stratosphere IPS Research Blog - How to Create a Small Lab at Home with a Raspberry Pi to execute Malware - How to create a Small Lab at home with a Raspberry Pi to execute Malware https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1522316879786-PJB0F6XNLCCZ3NIGQWJN/Lab+Infrastructure+raspberry+pi.jpg Stratosphere IPS Research Blog - How to Create a Small Lab at Home with a Raspberry Pi to execute Malware Your topology should look like this https://www.stratosphereips.org/blog/2018/3/26/three-years-of-publishing-malware-traffic-datasets monthly 0.5 2018-05-25 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1522055913999-3GKO4JOMBP3IHZM3EZQO/Screen+Shot+2018-03-26+at+11.16.11.png Stratosphere IPS Research Blog - Three Years of Publishing Malware Traffic Datasets https://www.stratosphereips.org/blog/2018/3/22/team-learning-basic-python-introduction-for-basic-malware-analysis monthly 0.5 2018-03-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521789507924-WZJ7J2XI1VYZVOVYUINT/IMG_3295.JPG Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521729986077-5N3PS21OXD3J3D8B4CNL/Screen+Shot+2018-03-22+at+15.44.43.png Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation The source code for this template is located here: https://github.com/stratosphereips/Basic-Python-Learning https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521736110146-U0BABCXHGG4U5CIC01YM/IMG_3297.JPG Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521738624261-Y77VXQNJFC7F0EZH11ZN/test.png Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521738943272-2POL8ONEUUVFWZFSOJZN/test2.png Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation There are so many nodes that the graph is totally useless. But there were more than 13000 nodes! https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521789982567-V6XQI3JZ7HCNQBHMAWGA/test2-zoom.png Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation If we zoom to the center of the chart, we can see that DOT was actually able to plot everything, but is not the best type of visualisation we can choose. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521739288971-IL5S6WJ88DTF2AY00A2O/image-asset.png Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation There are 400 connections in this graph. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521739480111-Q1QSPTVIH6X2YXFCUMZN/test4.png Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation There are 2000 connections in this graph. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1521740079521-EEIPTNJC98IAPHO5IZKG/test5.png Stratosphere IPS Research Blog - Team Learning: Python Introduction for Network Traffic Visualisation There are 5000 connections in this graph (low resolution due file size limit on square space) https://www.stratosphereips.org/blog/2017/6/19/nomad-project monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2015/10/12/ccdetector-and-botnet-detector-comparer monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2015/7/17/new-dataset-ctu-13-extended-now-includes-pcap-files-of-normal-traffic monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2015/3/26/differences-on-the-behavioral-patterns-of-malware-and-normal-dns-connections monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2015/3/25/the-importance-of-good-labels-in-security-datasets monthly 0.5 2017-11-08 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510159141731-G7W96QGOBNFIM7I5GX6O/label-warranty-1.jpg Stratosphere IPS Research Blog - The Importance of Good Labels in Security Datasets https://www.stratosphereips.org/blog/2015/3/24/first-phase-of-the-stratosphere-ips-project-ready monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2015/3/12/analysis-of-the-traffic-of-an-apk-malware monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2015/3/12/how-to-install-and-run-argus-sniffer-in-your-raspberry-pi monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2014/11/10/malware-uses-multiple-web-servers-to-have-a-periodic-http-cc-connection-while-its-netflows-are-not-periodic monthly 0.5 2017-11-08 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510154490121-SR4H0EFBT97GPX4F558O/7479220_orig.jpg Stratosphere IPS Research Blog - MALWARE USES MULTIPLE WEB SERVERS TO HAVE A PERIODIC HTTP C&C CONNECTION WHILE ITS NETFLOWS ARE NOT PERIODIC   Some hours of traffic in the CTU-89-1 capture https://www.stratosphereips.org/blog/2014/8/5/malware-started-to-randomize-the-request-times-in-relation-with-their-cc-channels monthly 0.5 2017-11-08 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510154089000-LIM0PXM9A3PX5DJJXS7K/9923682_orig.jpeg Stratosphere IPS Research Blog - MALWARE STARTED TO RANDOMIZE THE REQUEST TIMES IN RELATION WITH THEIR C&C CHANNELS Histogram of time differences between packets for the DGA. https://www.stratosphereips.org/blog/2014/03/9/example-of-using-stf-for-detecting-cc-channels-an-analysis-of-a-pushdo-malware monthly 0.5 2017-11-08 https://www.stratosphereips.org/blog/2014/03/1/analisis-of-ctu-malware-capture-1 monthly 0.5 2017-11-08 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510149053752-TNEHAYFLX45BIN2UONU1/Figure-1.png Stratosphere IPS Research Blog - ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510149244622-2I3LWRUZ7ZXE9APE6S52/Figure-2.jpg Stratosphere IPS Research Blog - ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510149337890-3UQXL0REPIMVTL7TGL83/Figure-3.jpg Stratosphere IPS Research Blog - ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510149378269-BMWKVQZNNJIT1E5M3CF4/Figure-4.jpg Stratosphere IPS Research Blog - ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510149570542-E7WNRM06VHTZFKVDOK7Y/Figure-5.png Stratosphere IPS Research Blog - ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO) https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510149645931-OWPGQV6FB1Z4AYOLG0N4/Figure-6.png Stratosphere IPS Research Blog - ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO) https://www.stratosphereips.org/blog/category/Underground+Economy monthly 0.5 https://www.stratosphereips.org/blog/category/cybercrime monthly 0.5 https://www.stratosphereips.org/blog/category/Blocklist+Project monthly 0.5 https://www.stratosphereips.org/blog/category/Laboratory monthly 0.5 https://www.stratosphereips.org/blog/category/Machine+Learning monthly 0.5 https://www.stratosphereips.org/blog/category/Teaching monthly 0.5 https://www.stratosphereips.org/blog/category/Datasets monthly 0.5 https://www.stratosphereips.org/blog/category/malware+analysis monthly 0.5 https://www.stratosphereips.org/blog/category/award monthly 0.5 https://www.stratosphereips.org/blog/category/Events monthly 0.5 https://www.stratosphereips.org/blog/category/Project+Ludus monthly 0.5 https://www.stratosphereips.org/blog/category/Stratosphere+Linux+IPS monthly 0.5 https://www.stratosphereips.org/blog/category/GSoC2023 monthly 0.5 https://www.stratosphereips.org/blog/category/Education monthly 0.5 https://www.stratosphereips.org/blog/category/Slips monthly 0.5 https://www.stratosphereips.org/blog/category/traffic+analysis monthly 0.5 https://www.stratosphereips.org/blog/category/AIVPN monthly 0.5 https://www.stratosphereips.org/blog/category/shellm monthly 0.5 https://www.stratosphereips.org/blog/category/Python monthly 0.5 https://www.stratosphereips.org/blog/category/Honeypots monthly 0.5 https://www.stratosphereips.org/blog/category/Mischief monthly 0.5 https://www.stratosphereips.org/blog/category/Reinforcement+Learning monthly 0.5 https://www.stratosphereips.org/blog/category/GSoC2024 monthly 0.5 https://www.stratosphereips.org/blog/category/Aposemat+Project monthly 0.5 https://www.stratosphereips.org/blog/category/Propaganda monthly 0.5 https://www.stratosphereips.org/blog/category/publications monthly 0.5 https://www.stratosphereips.org/blog/tag/education monthly 0.5 https://www.stratosphereips.org/blog/tag/shadow monthly 0.5 https://www.stratosphereips.org/blog/tag/release monthly 0.5 https://www.stratosphereips.org/blog/tag/DNS monthly 0.5 https://www.stratosphereips.org/blog/tag/iot monthly 0.5 https://www.stratosphereips.org/blog/tag/llms monthly 0.5 https://www.stratosphereips.org/blog/tag/threat+hunting monthly 0.5 https://www.stratosphereips.org/blog/tag/latin+america monthly 0.5 https://www.stratosphereips.org/blog/tag/QUIC monthly 0.5 https://www.stratosphereips.org/blog/tag/traffic+analysis monthly 0.5 https://www.stratosphereips.org/blog/tag/https monthly 0.5 https://www.stratosphereips.org/blog/tag/glutton monthly 0.5 https://www.stratosphereips.org/blog/tag/shellm monthly 0.5 https://www.stratosphereips.org/blog/tag/DOH monthly 0.5 https://www.stratosphereips.org/blog/tag/events monthly 0.5 https://www.stratosphereips.org/blog/tag/ciberseguridad monthly 0.5 https://www.stratosphereips.org/blog/tag/introduction+to+security monthly 0.5 https://www.stratosphereips.org/blog/tag/rat monthly 0.5 https://www.stratosphereips.org/blog/tag/apt monthly 0.5 https://www.stratosphereips.org/blog/tag/DOQ monthly 0.5 https://www.stratosphereips.org/blog/tag/DOT monthly 0.5 https://www.stratosphereips.org/blog/tag/dns monthly 0.5 https://www.stratosphereips.org/blog/tag/ai monthly 0.5 https://www.stratosphereips.org/blog/tag/AI monthly 0.5 https://www.stratosphereips.org/blog/tag/zeek monthly 0.5 https://www.stratosphereips.org/blog/tag/stratosphere+linux+ips monthly 0.5 https://www.stratosphereips.org/blog/tag/vulnerability monthly 0.5 https://www.stratosphereips.org/blog/tag/analysis monthly 0.5 https://www.stratosphereips.org/blog/tag/ips monthly 0.5 https://www.stratosphereips.org/blog/tag/javascript monthly 0.5 https://www.stratosphereips.org/blog/tag/passwd monthly 0.5 https://www.stratosphereips.org/blog/tag/install monthly 0.5 https://www.stratosphereips.org/blog/tag/underground monthly 0.5 https://www.stratosphereips.org/blog/tag/red+team monthly 0.5 https://www.stratosphereips.org/blog/tag/threat+intelligence monthly 0.5 https://www.stratosphereips.org/blog/tag/Functional+Metrics monthly 0.5 https://www.stratosphereips.org/blog/tag/data+viz monthly 0.5 https://www.stratosphereips.org/blog/tag/gui monthly 0.5 https://www.stratosphereips.org/blog/tag/gsoc2024 monthly 0.5 https://www.stratosphereips.org/blog/tag/doh monthly 0.5 https://www.stratosphereips.org/blog/tag/poster monthly 0.5 https://www.stratosphereips.org/blog/tag/privacy+attacks monthly 0.5 https://www.stratosphereips.org/blog/tag/infection monthly 0.5 https://www.stratosphereips.org/blog/tag/conference monthly 0.5 https://www.stratosphereips.org/blog/tag/blackhat monthly 0.5 https://www.stratosphereips.org/blog/tag/aivpn monthly 0.5 https://www.stratosphereips.org/blog/tag/gsoc2023 monthly 0.5 https://www.stratosphereips.org/blog/tag/doq monthly 0.5 https://www.stratosphereips.org/blog/tag/computational+propaganda monthly 0.5 https://www.stratosphereips.org/blog/tag/dot monthly 0.5 https://www.stratosphereips.org/blog/tag/AIDojo monthly 0.5 https://www.stratosphereips.org/blog/tag/smb monthly 0.5 https://www.stratosphereips.org/blog/tag/aip monthly 0.5 https://www.stratosphereips.org/blog/tag/students monthly 0.5 https://www.stratosphereips.org/blog/tag/serpapi monthly 0.5 https://www.stratosphereips.org/blog/tag/teaching monthly 0.5 https://www.stratosphereips.org/blog/tag/traffic+capture monthly 0.5 https://www.stratosphereips.org/blog/tag/immunity monthly 0.5 https://www.stratosphereips.org/blog/tag/tools monthly 0.5 https://www.stratosphereips.org/blog/tag/measurement monthly 0.5 https://www.stratosphereips.org/blog/tag/cve monthly 0.5 https://www.stratosphereips.org/blog/tag/Explainable+AI monthly 0.5 https://www.stratosphereips.org/blog/tag/allowlists monthly 0.5 https://www.stratosphereips.org/blog/tag/attack monthly 0.5 https://www.stratosphereips.org/blog/tag/aposemat monthly 0.5 https://www.stratosphereips.org/blog/tag/feeds monthly 0.5 https://www.stratosphereips.org/blog/tag/Malware monthly 0.5 https://www.stratosphereips.org/blog/tag/Behavioral+Analysis monthly 0.5 https://www.stratosphereips.org/blog/tag/camera monthly 0.5 https://www.stratosphereips.org/blog/tag/uptimerobot monthly 0.5 https://www.stratosphereips.org/blog/tag/macos monthly 0.5 https://www.stratosphereips.org/blog/tag/nlnet monthly 0.5 https://www.stratosphereips.org/blog/tag/funding monthly 0.5 https://www.stratosphereips.org/blog/tag/malware monthly 0.5 https://www.stratosphereips.org/blog/tag/Dataset monthly 0.5 https://www.stratosphereips.org/blog/tag/pyration monthly 0.5 https://www.stratosphereips.org/blog/tag/machine+learning monthly 0.5 https://www.stratosphereips.org/blog/tag/open+informatics monthly 0.5 https://www.stratosphereips.org/blog/tag/secure+dns monthly 0.5 https://www.stratosphereips.org/blog/tag/edimax monthly 0.5 https://www.stratosphereips.org/blog/tag/Turris monthly 0.5 https://www.stratosphereips.org/blog/tag/IoT-23Dataset monthly 0.5 https://www.stratosphereips.org/blog/tag/splunk monthly 0.5 https://www.stratosphereips.org/blog/tag/collectress monthly 0.5 https://www.stratosphereips.org/blog/tag/best+paper+award monthly 0.5 https://www.stratosphereips.org/blog/tag/cvut monthly 0.5 https://www.stratosphereips.org/blog/tag/publications monthly 0.5 https://www.stratosphereips.org/blog/tag/binary+analysis monthly 0.5 https://www.stratosphereips.org/blog/tag/SCSD monthly 0.5 https://www.stratosphereips.org/blog/tag/defending monthly 0.5 https://www.stratosphereips.org/blog/tag/IoT23Dataset monthly 0.5 https://www.stratosphereips.org/blog/tag/fel monthly 0.5 https://www.stratosphereips.org/blog/tag/ieee monthly 0.5 https://www.stratosphereips.org/blog/tag/research monthly 0.5 https://www.stratosphereips.org/blog/tag/cloud monthly 0.5 https://www.stratosphereips.org/blog/tag/malware+analysis monthly 0.5 https://www.stratosphereips.org/blog/tag/active+directory monthly 0.5 https://www.stratosphereips.org/blog/tag/safelist monthly 0.5 https://www.stratosphereips.org/blog/tag/Graphs monthly 0.5 https://www.stratosphereips.org/blog/tag/taxii monthly 0.5 https://www.stratosphereips.org/blog/tag/protocols monthly 0.5 https://www.stratosphereips.org/blog/tag/ctu+in+prague monthly 0.5 https://www.stratosphereips.org/blog/tag/Large+Language+Models monthly 0.5 https://www.stratosphereips.org/blog/tag/fake+news monthly 0.5 https://www.stratosphereips.org/blog/tag/Python monthly 0.5 https://www.stratosphereips.org/blog/tag/traffic monthly 0.5 https://www.stratosphereips.org/blog/tag/ML monthly 0.5 https://www.stratosphereips.org/blog/tag/excution monthly 0.5 https://www.stratosphereips.org/blog/tag/blocklist monthly 0.5 https://www.stratosphereips.org/blog/tag/summer+school monthly 0.5 https://www.stratosphereips.org/blog/tag/game+theory monthly 0.5 https://www.stratosphereips.org/blog/tag/hacktivism monthly 0.5 https://www.stratosphereips.org/blog/tag/geost monthly 0.5 https://www.stratosphereips.org/blog/tag/trojan monthly 0.5 https://www.stratosphereips.org/blog/tag/DEFCON monthly 0.5 https://www.stratosphereips.org/blog/tag/cybersecurity monthly 0.5 https://www.stratosphereips.org/blog/tag/tool monthly 0.5 https://www.stratosphereips.org/blog/tag/Android monthly 0.5 https://www.stratosphereips.org/blog/tag/civilsphere monthly 0.5 https://www.stratosphereips.org/blog/tag/network+traffic monthly 0.5 https://www.stratosphereips.org/blog/tag/IoT+laboratory monthly 0.5 https://www.stratosphereips.org/blog/tag/node.js monthly 0.5 https://www.stratosphereips.org/blog/tag/slips monthly 0.5 https://www.stratosphereips.org/blog/tag/AI+agents monthly 0.5 https://www.stratosphereips.org/blog/tag/survey monthly 0.5 https://www.stratosphereips.org/blog/tag/ids monthly 0.5 https://www.stratosphereips.org/blog/tag/support monthly 0.5 https://www.stratosphereips.org/blog/tag/wacco monthly 0.5 https://www.stratosphereips.org/blog/tag/arsenal monthly 0.5 https://www.stratosphereips.org/blog/tag/h0neytr4p monthly 0.5 https://www.stratosphereips.org/blog/tag/cybercrime monthly 0.5 https://www.stratosphereips.org/blog/tag/stratocyberlab monthly 0.5 https://www.stratosphereips.org/blog/tag/code monthly 0.5 https://www.stratosphereips.org/blog/tag/Security+Games monthly 0.5 https://www.stratosphereips.org/blog/tag/android monthly 0.5 https://www.stratosphereips.org/blog/tag/free-software monthly 0.5 https://www.stratosphereips.org/blog/tag/Network+Security monthly 0.5 https://www.stratosphereips.org/blog/tag/privacy monthly 0.5 https://www.stratosphereips.org/blog/tag/learning monthly 0.5 https://www.stratosphereips.org/blog/tag/diagrams monthly 0.5 https://www.stratosphereips.org/blog/tag/training monthly 0.5 https://www.stratosphereips.org/blog/tag/anomaly+detection monthly 0.5 https://www.stratosphereips.org/blog/tag/CZNIC monthly 0.5 https://www.stratosphereips.org/blog/tag/machete monthly 0.5 https://www.stratosphereips.org/blog/tag/interface monthly 0.5 https://www.stratosphereips.org/blog/tag/raspberry+pi monthly 0.5 https://www.stratosphereips.org/blog/tag/IoT monthly 0.5 https://www.stratosphereips.org/blog/tag/docker monthly 0.5 https://www.stratosphereips.org/blog/tag/deep+learning monthly 0.5 https://www.stratosphereips.org/blog/tag/security monthly 0.5 https://www.stratosphereips.org/blog/tag/white+paper monthly 0.5 https://www.stratosphereips.org/blog/tag/award monthly 0.5 https://www.stratosphereips.org/blog/tag/paper monthly 0.5 https://www.stratosphereips.org/blog/tag/TA%C4%8CR monthly 0.5 https://www.stratosphereips.org/blog/tag/htbot monthly 0.5 https://www.stratosphereips.org/blog/tag/ipv6 monthly 0.5 https://www.stratosphereips.org/blog/tag/linux monthly 0.5 https://www.stratosphereips.org/blog/tag/ngo monthly 0.5 https://www.stratosphereips.org/blog/tag/talks monthly 0.5 https://www.stratosphereips.org/blog/tag/otev%C5%99en%C3%A1+informatika monthly 0.5 https://www.stratosphereips.org/blog/tag/oi monthly 0.5 https://www.stratosphereips.org/blog/tag/obfuscation monthly 0.5 https://www.stratosphereips.org/blog/tag/blue+team monthly 0.5 https://www.stratosphereips.org/blog/tag/wrapup monthly 0.5 https://www.stratosphereips.org/blog/tag/data+analysis monthly 0.5 https://www.stratosphereips.org/blog/tag/sap monthly 0.5 https://www.stratosphereips.org/blog/tag/remote+access+trojan monthly 0.5 https://www.stratosphereips.org/blog/tag/propaganda monthly 0.5 https://www.stratosphereips.org/blog/tag/network+traffic+analysis monthly 0.5 https://www.stratosphereips.org/blog/tag/Reinforcement+Learning monthly 0.5 https://www.stratosphereips.org/blog/tag/reverse+engineering monthly 0.5 https://www.stratosphereips.org/blog/tag/Guest+Post monthly 0.5 https://www.stratosphereips.org/blog/tag/llm monthly 0.5 https://www.stratosphereips.org/blog/tag/attacking monthly 0.5 https://www.stratosphereips.org/blog/tag/honeypot monthly 0.5 https://www.stratosphereips.org/blog/tag/gsoc monthly 0.5 https://www.stratosphereips.org/blog/tag/Explanation+Evaluation monthly 0.5 https://www.stratosphereips.org/blog/tag/yara+rules monthly 0.5 https://www.stratosphereips.org/blog/tag/ngomarket monthly 0.5 https://www.stratosphereips.org/blog/tag/CTF monthly 0.5 https://www.stratosphereips.org/blog/tag/eurosp monthly 0.5 https://www.stratosphereips.org/blog/tag/translation monthly 0.5 https://www.stratosphereips.org/blog/tag/malware+research monthly 0.5 https://www.stratosphereips.org/blog/tag/botnet monthly 0.5 https://www.stratosphereips.org/blog/tag/owaspcz monthly 0.5 https://www.stratosphereips.org/blog/tag/APK monthly 0.5 https://www.stratosphereips.org/home daily 1.0 2025-09-02 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510062563172-LMM03XB4Q3IQX076NOBU/stratosphere-stock-3.jpg Home https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524131391-41S396GGQN3CT4BG22MC/sebas-garcia.webp Home - Sebastian Garcia https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524130925-4U7RW8P6OHDTUYLGC8IW/Screenshot%2B2022-02-03%2Bat%2B0.05.48.webp Home - Veronica Valeros https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524126625-DRL75NAG4V1H6EBFZGUO/maria-rigaki.webp Home - Maria Rigaki https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524128653-V47E9TQ2YVLMWX5S3FBE/Ondrej-Lukas.webp Home - Ondřej Lukáš https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524128376-VH0G44NESZY92156I2A6/muris_sladic.webp Home - Muris Sladić https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524124439-FWHZIGYROBIY0Y9550GU/1678556794919.webp Home - Alya Gomaa https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524126699-A8U4803VYF3S20771VHJ/martin-repa.webp Home - Martin Řepa https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524125649-1S1Y9AD07J614ISKX9KS/lukas-forst.webp Home - Lukáš Forst https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773673125286-5JN68M91N1NC0GER9LIT/Carlos+Catania.jpeg Home - Carlos Catania https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1774948973583-QDYD119ZK4EVCLPCZKR2/svoboda_headshot.webp Home - Jan Svoboda https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524130473-B8YXKEGHIE5ENKTH2IP0/profile.webp Home - Eman Alibalić https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524129867-4TNL2FRKHWPCCYIS04DR/Photo.webp Home - Juan Ignacio Bousquet https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524127482-VJ57B95USHN91X2WE17A/masarah.webp Home - Masarah Paquet-Clouston https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524124469-N8GIB5F2UBIAFYYE0XZE/anna.webp Home - Anna Širokova https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773128797119-D0YA9W28UBPUNPU6A2EI/kucera-jan.jpeg Home - Jan Kučera https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524125657-GDHIM14XBMJLEW1YLZVH/bryan.webp Home - Bryan Campbell https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773128850976-V3525YL9RSL6AREO0AW6/forni-diego.jpeg Home - Diego Forni https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524127754-NEBHX0M5FG2Y6NHN6LWM/Mohammad-Amr-Khan-1x1.webp Home - Mohammad Amr Khan https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524129374-SFFS6NT4A81FBV0DU4M4/pavel-janata.webp Home - Pavel Janata https://www.stratosphereips.org/thesis-projects-list daily 0.75 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/2024/5/26/large-language-models-as-defensive-honeypots monthly 0.5 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/2023/5/26/a-network-dataset-of-normal-malware-attack-and-background-traffic-on-a-real-network monthly 0.5 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/nq79sbsgl8grtydi976h1o0o5da2ik monthly 0.5 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/2022/3/12/federated-learning-for-network-security monthly 0.5 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/2022/3/12/global-permissionless-p2p-system-for-sharing-distributed-threat-intelligence monthly 0.5 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/2022/3/12/detection-of-computational-propaganda-according-to-its-spread-on-the-internet monthly 0.5 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/2022/3/12/trust-model-for-global-peer-to-peer-intrusion-prevention-system monthly 0.5 2025-02-26 https://www.stratosphereips.org/thesis-projects-list/2021/5/20/machine-learning-privacy-analysis-and-implementation-of-model-extraction-attacks monthly 0.5 2022-03-12 https://www.stratosphereips.org/thesis-projects-list/execution-analysis-and-detection-of-android-rats-traffic-dfemh monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1616415962817-CH2GMFOD3RKQ9P01I9MD/Thomas%2BO%2527Hara.jpg Thesis Projects - The Attacker IP Prioritizer : An IoT Optimized Blacklisting Algorithm Thomas O’Hara https://www.stratosphereips.org/thesis-projects-list/gnn-for-ad-honeypot monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1615476688147-48KJ97II35YZ2VQQUBT1/b0e8ec6443191356e99cbeadcff2245bf0cde46f.jpg Thesis Projects - Graph Generative Models for Decoy Targets in Active Directory Ondrej Lukas https://www.stratosphereips.org/thesis-projects-list/execution-analysis-and-detection-of-android-rats-traffic monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1613382844632-Y560XEL387ZV1JIAIDA9/kami.jpg Thesis Projects - Execution, Analysis and Detection of Android RATs traffic Kamila Babayeva https://www.stratosphereips.org/thesis-projects-list/2020/5/23/trust-models-on-adversarial-distributed-security-agents monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1590235286095-8JEPQ09BM1I3T0RKH3WN/Dita-aic.jpg Thesis Projects - Trust models on adversarial distributed security agents DITA HOLLMANNOVÁ https://www.stratosphereips.org/thesis-projects-list/2020/5/23/the-first-comprehensive-report-on-the-state-of-the-security-of-mobile-phones-of-civil-society monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1590233085257-FBQHROYV9FWLB592V0YC/Civilsphere.png Thesis Projects - The first comprehensive report on the state of the security of mobile phones of civil society https://www.stratosphereips.org/thesis-projects-list/2020/4/22/identifying-malicious-hosts-by-aggregation-of-partial-detections monthly 0.5 2020-05-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587585052513-2721990TIH40XH5M15VH/Ondrej-Lukas.jpg Thesis Projects - IDENTIFYING MALICIOUS HOSTS BY AGGREGATION OF PARTIAL DETECTIONS ONDŘEJ LUKÁŠ https://www.stratosphereips.org/thesis-projects-list/2020/4/22/identification-of-network-users-by-profiling-their-behavior monthly 0.5 2020-05-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587584883475-5RVLR1DF0LY0MFDWWYW4/StratoLogo.png Thesis Projects - IDENTIFICATION OF NETWORK USERS BY PROFILING THEIR BEHAVIOR DAVID KUBEŠA https://www.stratosphereips.org/thesis-projects-list/2020/4/22/graph-based-analysis-of-malware-network-behaviors monthly 0.5 2020-05-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587584762381-48QZ50YBRW52MXQIMZ08/StratoLogo.png Thesis Projects - GRAPH-BASED ANALYSIS OF MALWARE NETWORK BEHAVIORS DANIEL ŠMOLIK https://www.stratosphereips.org/thesis-projects-list/2020/4/22/manati-web-assistance-for-the-threat-analysis-supported-by-domain-similarity monthly 0.5 2020-05-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587584525099-RKKQIQ3J6WEQWCT0C95R/Raul-Benitez.jpeg Thesis Projects - MANATI: WEB ASSISTANCE FOR THE THREAT ANALYSIS SUPPORTED BY DOMAIN SIMILARITY RAUL BENITEZ NETO https://www.stratosphereips.org/thesis-projects-list/2020/4/22/anomaly-detection-of-host-roles-in-computer-networks monthly 0.5 2026-01-06 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/18661531-3def-4ceb-9e2c-7a45222ecd36/new_yura_pic.jpg Thesis Projects - ANOMALY DETECTION OF HOST ROLES IN COMPUTER NETWORKS YURY KASIMOV https://www.stratosphereips.org/thesis-projects-list/2020/4/22/detection-of-security-attacks-on-networks-using-ensembling-techniques monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587584121369-H9DDWWGEH04YM1HGKWX6/PaulaVenosa-UNLP3.jpg Thesis Projects - DETECTION OF SECURITY ATTACKS ON NETWORKS USING ENSEMBLING TECHNIQUES PAULA VENOSA https://www.stratosphereips.org/thesis-projects-list/2020/4/22/profiling-and-detection-of-iot-attacks-in-telnet-traffic monthly 0.5 2020-05-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587583637060-G5TDQZZ8N5V4NPSXKKWF/simona-profile.jpg Thesis Projects - PROFILING AND DETECTION OF IOT ATTACKS IN TELNET TRAFFIC SIMONA MUSILOVA https://www.stratosphereips.org/thesis-projects-list/2020/4/22/analysis-and-comparison-of-the-characteristics-of-high-performance-systems-and-botnets monthly 0.5 2020-10-20 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587583458969-XBJDZ5YVFAZY9R9QN8DG/mariajose.jpg Thesis Projects - ANALYSIS AND COMPARISON OF THE CHARACTERISTICS OF HIGH PERFORMANCE SYSTEMS AND BOTNETS MARIA JOSE ERQUIAGA https://www.stratosphereips.org/thesis-projects-list/2020/4/22/should-i-click-project monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587583104035-CBHE0OZATR8EH289FR4Q/image-asset.jpeg Thesis Projects - Should I click on a link? Machine Learning to Protect from Cyber Attacks on the Web FRANTIŠEK STŘASÁK https://www.stratosphereips.org/thesis-projects-list/2020/4/22/behavioral-analysis-and-detection-of-iot-malware-using-the-irc-protocol monthly 0.5 2022-03-12 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587583000623-HN4GN3W67QT2EH1FBZ25/image-asset.jpeg Thesis Projects - BEHAVIORAL ANALYSIS AND DETECTION OF IOT MALWARE USING THE IRC PROTOCOL ONDŘEJ PRENĚK https://www.stratosphereips.org/thesis-projects-list/2017/6/20/detection-of-https-malware-traffic monthly 0.5 2022-03-12 https://www.stratosphereips.org/thesis-projects-list/category/Finished monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/category/Ongoing monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Martin+%C5%98epa monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Muris+Sladi%C4%8B monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Ond%C5%99ej+Lukas monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Raul+Benitez+Neto monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Master+Thesis monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/David+Kube%C5%A1a monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Jakub+%C4%8Cech monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Lukas+Forst monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Franti%C5%A1ek+St%C5%99as%C3%A1k monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Kamila+Babayeva monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Daniel+%C5%A0molik monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Vit+Karafiat monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/%C5%A0t%C4%9Bp%C3%A1n+Bendl monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Maria+Jose+Erquiaga monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Yury+Kasimov monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Ond%C5%99ej+Pren%C4%9Bk monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Thomas+O%27Hara monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Pavel+Janata monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Simona+Musilova monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Paula+Venosa monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Ond%C5%99ej+Bou%C4%8Dek monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Bachelor+Thesis monthly 0.5 https://www.stratosphereips.org/thesis-projects-list/tag/Dita+Hollmannov%C3%A1 monthly 0.5 https://www.stratosphereips.org/job-opportunities daily 0.75 2024-04-18 https://www.stratosphereips.org/job-opportunities/category/Open+Positions monthly 0.5 https://www.stratosphereips.org/publications daily 0.75 2023-06-08 https://www.stratosphereips.org/publications/2019/11/10/hack-me-do-deploying-an-iot-malware-laboratory-to-analyze-malicious-behavior monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589126979582-SAK4OB0YSE2DJTAWK0HT/audit-3737447_640.jpg Publications - Hack me-do. Deploying an IoT Malware Laboratory to Analyze Malicious Behavior https://www.stratosphereips.org/publications/2019/10/31/ensembling-to-improve-infected-hosts-detection monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589126510801-SW2G0JMTPO2S7DXFYNR4/Publications+%285%29.png Publications - Ensembling to improve infected hosts detection https://www.stratosphereips.org/publications/2019/9/20/detecting-dns-threats-a-deep-learning-model-to-rule-them-all monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589121446607-VRAA1ZXU1ZKRW6OAX8VG/Frequency-Character-Distribution.png Publications - Detecting DNS Threats: A Deep Learning Model to Rule Them All https://www.stratosphereips.org/publications/2019/8/19/geost-botnet-operational-security-failures-lead-to-a-new-android-banking-threat monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589121164958-CMAJUC91PJVOJ483564Z/Geost-Poster.png Publications - Geost Botnet: Operational security failures lead to a new Android banking threat Figure 1. Discovery of Geost. Our instance of HtBot was used by the Geost botmasters, relaying data to our bot when they accessed the C&C server. https://www.stratosphereips.org/publications/2019/6/19/machete-dissecting-the-operations-of-a-cyber-espionage-group-in-latin-america monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589121570351-EC0PU2VZBQS1MKHLMKF3/machete.png Publications - Machete: Dissecting the Operations of a Cyber Espionage Group in Latin America https://www.stratosphereips.org/publications/2019/5/19/deep-convolutional-neural-networks-for-dga-detection monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589124813491-0FULEOJBFAOJRJM3CQMA/image-asset.jpeg Publications - Deep Convolutional Neural Networks for DGA Detection https://www.stratosphereips.org/publications/2018/10/31/an-analysis-of-convolutional-neural-networks-for-detecting-dga monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589125166726-F527E34YW5LDKH16UOS2/Publications+%283%29.png Publications - An Analysis of Convolutional Neural Networks for detecting DGA https://www.stratosphereips.org/publications/2018/5/24/bringing-a-gan-to-a-knife-fight-adapting-malware-communication-to-avoid-detection monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589121668246-U0ERTCSMRA8Y86ICD83M/GANs.png Publications - Bringing a GAN to a Knife-Fight: Adapting Malware Communication to Avoid Detection. https://www.stratosphereips.org/publications/2018/5/5/arming-malware-with-gans monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589121997311-S8HEQ7CO1QTDD6KPIOOO/Maria-GANs-talk-Security-Sessions.png Publications - Arming Malware with GANs https://www.stratosphereips.org/publications/2020/5/5/reliable-machine-learning-for-networking-key-issues-and-approaches monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589124890098-1NQF5EEL853VMDE6HCAT/audit-3737447_640.jpg Publications - Reliable Machine Learning for Networking: Key Issues and Approaches. https://www.stratosphereips.org/publications/2020/5/5/detection-of-https-malware-traffic monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589122680649-G7G6TSUWVRBX9YITKIU7/Strasak.png Publications - Detection of HTTPS Malware Traffic https://www.stratosphereips.org/publications/2017/5/5/6w4wkdy4lv9p47p0xli6driqle74or monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589123512546-BAMN88KRJA10TEXB2Q8J/Publications-1.png Publications - Observer effect: How Intercepting HTTPS traffic forces malware to change their behavior https://www.stratosphereips.org/publications/2016/6/15/detecting-dga-malware-traffic-through-behavioral-models monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589125487681-77L5HBN8U0NP92LCCRHJ/Publications+%284%29.png Publications - Detecting DGA malware traffic through behavioral models https://www.stratosphereips.org/publications/2015/12/21/the-network-behavior-of-targeted-attacks-models-for-malware-identification-and-detection monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589122158184-UJ7DP9WGRS4FQ7EFT221/Garcia.png Publications - The Network Behavior of Targeted Attacks. Models for Malware Identification and Detection. https://www.stratosphereips.org/publications/2015/10/5/modelling-the-network-behaviour-of-malware-to-block-malicious-patterns monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589122548714-GPN7T0H2719Y9CT2O1RV/Characteristics+of+the+botnet+captures.+%28CF_+Click+Fraud%2C+PS_+Port+Scan%2C+US_+Compiled+and+controlled+by+us.%29.png Publications - Modelling the Network Behaviour of Malware To Block Malicious Patterns https://www.stratosphereips.org/publications/2014/12/5/identifying-modeling-and-detecting-botnet-behaviors-in-the-network monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589123855289-ORH07A09QNSTOUVH49B8/Summary-schema-of-the-BClus-detection-method_W640.jpg Publications - Identifying, Modeling and Detecting Botnet Behaviors in the Network https://www.stratosphereips.org/publications/2014/5/11/an-empirical-comparison-of-botnet-detection-methods monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589124122727-VVQK4ZQPQYIMUX3YSDVM/Publications+%281%29.png Publications - An Empirical Comparison of Botnet Detection Methods https://www.stratosphereips.org/publications/2013/01/5/survey-on-network-based-botnet-detection-methods monthly 0.5 2020-05-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1589124320109-UW6781CYM3BJWQ1JE0K6/Publications+%282%29.png Publications - Survey on Network-based Botnet Detection Methods. https://www.stratosphereips.org/publications/category/Conferences monthly 0.5 https://www.stratosphereips.org/publications/category/Conference+Talk monthly 0.5 https://www.stratosphereips.org/publications/category/Thesis monthly 0.5 https://www.stratosphereips.org/publications/category/Journals+and+Books monthly 0.5 https://www.stratosphereips.org/publications/tag/D%C3%ADaz monthly 0.5 https://www.stratosphereips.org/publications/tag/Hammerschmidt monthly 0.5 https://www.stratosphereips.org/publications/tag/Verwer monthly 0.5 https://www.stratosphereips.org/publications/tag/Garino monthly 0.5 https://www.stratosphereips.org/publications/tag/Erquiaga monthly 0.5 https://www.stratosphereips.org/publications/tag/Shirokova monthly 0.5 https://www.stratosphereips.org/publications/tag/St%C5%99as%C3%A1k monthly 0.5 https://www.stratosphereips.org/publications/tag/Venosa monthly 0.5 https://www.stratosphereips.org/publications/tag/Torres monthly 0.5 https://www.stratosphereips.org/publications/tag/Guerra monthly 0.5 https://www.stratosphereips.org/publications/tag/Grill monthly 0.5 https://www.stratosphereips.org/publications/tag/Rigaki monthly 0.5 https://www.stratosphereips.org/publications/tag/Catania monthly 0.5 https://www.stratosphereips.org/publications/tag/Valeros monthly 0.5 https://www.stratosphereips.org/publications/tag/Zunino monthly 0.5 https://www.stratosphereips.org/publications/tag/2019 monthly 0.5 https://www.stratosphereips.org/publications/tag/2018 monthly 0.5 https://www.stratosphereips.org/publications/tag/Campo monthly 0.5 https://www.stratosphereips.org/publications/tag/2017 monthly 0.5 https://www.stratosphereips.org/publications/tag/2016 monthly 0.5 https://www.stratosphereips.org/publications/tag/2015 monthly 0.5 https://www.stratosphereips.org/publications/tag/2014 monthly 0.5 https://www.stratosphereips.org/publications/tag/State monthly 0.5 https://www.stratosphereips.org/publications/tag/Garcia monthly 0.5 https://www.stratosphereips.org/publications/tag/2013 monthly 0.5 https://www.stratosphereips.org/publications/tag/Stiborek monthly 0.5 https://www.stratosphereips.org/publications/tag/Palau monthly 0.5 https://www.stratosphereips.org/thesis-openings daily 0.75 2025-05-13 https://www.stratosphereips.org/thesis-openings/2025/5/13/ai-based-attacking-agent monthly 0.5 2025-05-13 https://www.stratosphereips.org/thesis-openings/2025/5/13/llm-based-honeypots monthly 0.5 2025-05-13 https://www.stratosphereips.org/thesis-openings/2025/5/13/network-security-dataset-creation monthly 0.5 2025-05-13 https://www.stratosphereips.org/thesis-openings/category/Thesis monthly 0.5 https://www.stratosphereips.org/thesis-openings/tag/Datasets monthly 0.5 https://www.stratosphereips.org/thesis-openings/tag/AI monthly 0.5 https://www.stratosphereips.org/thesis-openings/tag/Agents monthly 0.5 https://www.stratosphereips.org/thesis-openings/tag/Cybersecurity monthly 0.5 https://www.stratosphereips.org/thesis-openings/tag/LLM monthly 0.5 https://www.stratosphereips.org/thesis-openings/tag/Honeypots monthly 0.5 https://www.stratosphereips.org/our-people daily 0.75 2026-03-31 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524131391-41S396GGQN3CT4BG22MC/sebas-garcia.webp Our People - Sebastian Garcia https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524131391-41S396GGQN3CT4BG22MC/sebas-garcia.webp Our People - Sebastian Garcia https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524130925-4U7RW8P6OHDTUYLGC8IW/Screenshot%2B2022-02-03%2Bat%2B0.05.48.webp Our People - Veronica Valeros https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524126625-DRL75NAG4V1H6EBFZGUO/maria-rigaki.webp Our People - Maria Rigaki https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524128653-V47E9TQ2YVLMWX5S3FBE/Ondrej-Lukas.webp Our People - Ondřej Lukáš https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524128376-VH0G44NESZY92156I2A6/muris_sladic.webp Our People - Muris Sladić https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524124439-FWHZIGYROBIY0Y9550GU/1678556794919.webp Our People - Alya Gomaa https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524126699-A8U4803VYF3S20771VHJ/martin-repa.webp Our People - Martin Řepa https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524125649-1S1Y9AD07J614ISKX9KS/lukas-forst.webp Our People - Lukáš Forst https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773673125286-5JN68M91N1NC0GER9LIT/Carlos+Catania.jpeg Our People - Carlos Catania https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1774948973583-QDYD119ZK4EVCLPCZKR2/svoboda_headshot.webp Our People - Jan Svoboda https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524130473-B8YXKEGHIE5ENKTH2IP0/profile.webp Our People - Eman Alibalić https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524129867-4TNL2FRKHWPCCYIS04DR/Photo.webp Our People - Juan Ignacio Bousquet https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524127482-VJ57B95USHN91X2WE17A/masarah.webp Our People - Masarah Paquet-Clouston https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524124469-N8GIB5F2UBIAFYYE0XZE/anna.webp Our People - Anna Širokova https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773128797119-D0YA9W28UBPUNPU6A2EI/kucera-jan.jpeg Our People - Jan Kučera https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524125657-GDHIM14XBMJLEW1YLZVH/bryan.webp Our People - Bryan Campbell https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773128850976-V3525YL9RSL6AREO0AW6/forni-diego.jpeg Our People - Diego Forni https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524127754-NEBHX0M5FG2Y6NHN6LWM/Mohammad-Amr-Khan-1x1.webp Our People - Mohammad Amr Khan https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524129374-SFFS6NT4A81FBV0DU4M4/pavel-janata.webp Our People - Pavel Janata https://www.stratosphereips.org/new-cover-page-1 daily 0.75 2025-08-18 https://www.stratosphereips.org/download daily 0.75 2017-11-07 https://www.stratosphereips.org/datasets-malware daily 0.75 2023-03-27 https://www.stratosphereips.org/projects-civilsphere daily 0.75 2022-07-19 https://www.stratosphereips.org/publications-overview daily 0.75 2020-05-11 https://www.stratosphereips.org/stratosphere-ips-suite daily 0.75 2022-07-14 https://www.stratosphereips.org/team daily 0.75 2026-03-27 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/f5f225b0-95e5-4a80-9bad-af7d97673462/stratologo-letters.jpeg Our Team - Stratosphere Laboratory Cybersecurity, AI, helping society. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524131391-41S396GGQN3CT4BG22MC/sebas-garcia.webp Our Team - Sebastian Garcia https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524130925-4U7RW8P6OHDTUYLGC8IW/Screenshot%2B2022-02-03%2Bat%2B0.05.48.webp Our Team - Veronica Valeros https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524126625-DRL75NAG4V1H6EBFZGUO/maria-rigaki.webp Our Team - Maria Rigaki https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524128653-V47E9TQ2YVLMWX5S3FBE/Ondrej-Lukas.webp Our Team - Ondřej Lukáš https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524128376-VH0G44NESZY92156I2A6/muris_sladic.webp Our Team - Muris Sladić https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524124439-FWHZIGYROBIY0Y9550GU/1678556794919.webp Our Team - Alya Gomaa https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524126699-A8U4803VYF3S20771VHJ/martin-repa.webp Our Team - Martin Řepa https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524125649-1S1Y9AD07J614ISKX9KS/lukas-forst.webp Our Team - Lukáš Forst https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773673125286-5JN68M91N1NC0GER9LIT/Carlos+Catania.jpeg Our Team - Carlos Catania https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1774948973583-QDYD119ZK4EVCLPCZKR2/svoboda_headshot.webp Our Team - Jan Svoboda https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524130473-B8YXKEGHIE5ENKTH2IP0/profile.webp Our Team - Eman Alibalić https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524129867-4TNL2FRKHWPCCYIS04DR/Photo.webp Our Team - Juan Ignacio Bousquet https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524127482-VJ57B95USHN91X2WE17A/masarah.webp Our Team - Masarah Paquet-Clouston https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524124469-N8GIB5F2UBIAFYYE0XZE/anna.webp Our Team - Anna Širokova https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773128797119-D0YA9W28UBPUNPU6A2EI/kucera-jan.jpeg Our Team - Jan Kučera https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524125657-GDHIM14XBMJLEW1YLZVH/bryan.webp Our Team - Bryan Campbell https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1773128850976-V3525YL9RSL6AREO0AW6/forni-diego.jpeg Our Team - Diego Forni https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524127754-NEBHX0M5FG2Y6NHN6LWM/Mohammad-Amr-Khan-1x1.webp Our Team - Mohammad Amr Khan https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1755524129374-SFFS6NT4A81FBV0DU4M4/pavel-janata.webp Our Team - Pavel Janata https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/da408c88-d5e5-4015-ae0d-3d7a9c4f1afd/escudo+uncuyo+color+2023.png Our Team - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/84385ac3-c659-4da0-b195-b0a93dd17b50/Pro+obrazovku.png Our Team - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/35577614-e686-48b1-8988-5c673a27a652/Primary-Compact.png Our Team - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/5b746e5e-952c-495d-9c84-06429de03a2e/UK-logo-square-EN.png Our Team - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/c43174d2-451e-4ed0-96e0-f9d2fafd12df/.png_TuDelft_logo_rgb.png Our Team - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/3429a4e9-0da5-4a2f-882a-c4f4c83f1e09/Logo_AIC_FEECTU_Primary_v2.png Our Team https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510022419845-T98BV40EAV4OTUDQMOR5/NLNet+Foundation.png Our Team https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1613145036386-QM942UAMKKHC662Z0PPO/uptimerobot.jpg Our Team https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510064325763-CMHM3BSFW7BVN6SRITB1/Dot+CZ+logo+2012.png Our Team https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1613145078449-9JPMB5NJZLKLSFY71QA3/riskiqlogo.png Our Team https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510066525305-07K54NHUV6ACXI6C173X/avast_foundation.png Our Team https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510083514326-6PUQ4AS0UA1OY1K9DWIM/whalebone-logo.png Our Team https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1641809330407-KC52EJGW8P8ENXBP9RZE/images.png Our Team - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571851571584-ZFVGYDHKMK6TUMNFC6CK/Albert01.jpg Our Team - A. MÖHWALD https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571851583221-QQD2X0QZHK8YTL6OKG5H/Zally.jpg Our Team - Q. MEZA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571851596696-4W0NSRFP1V26ZF8ZN4H1/isra-stratosphere.png Our Team - ISRAEL LEIVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571851747240-SFBWGYDUQM3I8RCRV9XZ/jacobo-600px.jpeg Our Team - JACOBO NAJERA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571851639573-ZDUUZ7F08BKGGIJ8S2JS/StratoLogo.png Our Team - DAVID KUBEŠA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571851649476-8RUN3GNYK7KHMMHR6U45/StratoLogo.png Our Team - DANIEL ŠMOLIK https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571851670465-M27BWTLY0ZMJHG5738ZI/Civilsphere.png Our Team - JAKUB HLUSIČKA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1572873854545-LTI1VT74YL26N0ZH6RM4/Raul-Benitez.jpeg Our Team - RAUL BENITEZ https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1572873863807-B9QYCMC5BU9MKUON0OMC/Martin04.jpg Our Team - MARTIN ŘEPA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581086378856-DO64FLDQ7M386OE35AL1/simona-profile.jpg Our Team - S. MUSILOVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581086452333-9E6Q20JMX7SWSJRWH2UC/kalin-sq.jpg Our Team - KALIN IVANOV https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581086495803-HQD62S99WDX9JQ353BVY/karel-durkota.jpg Our Team - KAREL DURKOTA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581371424822-C1LAEKT9LJNWHURYHE8Z/AgustinParmisano.jpg Our Team - AGUSTIN PARMISANO https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581371424784-JTA5DXJI0LQ6AAR4FUCN/Ashwin.jpg Our Team - ASHWIN NEDUNGADI https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587712910627-C8C83OPZVMJ8PRCE2NRK/jan_fajfer_square.jpeg Our Team - JAN FAIJFER https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587712910645-7VTSMVBPOK71BA5TRLWU/jowabels.jpg Our Team - JOACHIM SUICO https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1597429379371-FJ7AZ5GEASZAF98F1SKI/Civilsphere.png Our Team - JAKUB ČECH https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1603194509514-PJNNQT3INLZ05NYVBQ5Z/Lisandro+Ubiedo.jpeg Our Team - LISANDRO UBIEDO https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1603194517018-W7PTU5Q5GDDRBR5OFENQ/ondrejp.jpg Our Team - ONDREJ PRENEK https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1603194607737-6JHQIB11Y7YNQ370RIW3/Dita-aic.jpg Our Team - DITA HOLLMANNOVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1615804282731-RB9CNW8B4J269ZL3EPXX/franco.jpg Our Team - FRANCO PALAU https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1615804289000-ABLEB6OQ01SS8WT8B6JM/Carlos_Catania.jpg Our Team - CARLOS CATANIA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1615804298945-HL8040XD2USN7AK21Q61/maria-jose-4x4.jpg Our Team - MARIA J. ERQUIAGA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1647015004472-RTZYY7EIZ8V53ZHA5CHW/thomas-o%27hara.jpeg Our Team - THOMAS O'HARA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1649247949056-DI2VWXQ30V8RVY39JWS4/mohamed_tita_1x1.jpeg Our Team - MOHAMAD TITA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1649248375113-B7DD0I9XEKDBJKBBW1PY/frantisek.jpeg Our Team - FRANTIŠEK STŘASAK https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1649248377145-OGZMQNL9GBBSOZRAFFQE/vit-karafiat-1x1.png Our Team - VÌT KARAFIÁT https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1624287533558-DGE4XJC7LKY9CP4CGRVK/image5.jpg Our Team - KAMILA BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1681815471082-6MCS66VAFH6H8HGGJP9Q/serge-o.png Our Team - SERGE-OLIVIER PAQUETTE https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1685688380489-RU7XCH17A58X66OPBYAB/elnaz.jpg Our Team - ELNAZ BABAYEVA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1702916334987-KLFWO9ZQI4U8V43T4ZZT/bendl%2BLarge.jpeg Our Team - Štěpán Bendl https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1702916374008-QR40O9ADEL0WJOM7EKC4/joaquin_strato.jpg Our Team - Joaquin Bogado https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1713116719208-RJZ86LFSKTQXVIH33CXK/arti.jpg Our Team - ARTI BANDHANA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1751882460212-ECF7HEE99TLQK0T1K2K6/davidotta.jpg Our Team - DAVID OTTA https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1751882460218-G2VQGDMXIAWXSOAXDLN6/Martijn.jpg Our Team - MARTIJN GROOTEN https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1751882461273-9TBSFYP91H54UT2LALD2/miroh.jpg Our Team - MIROSLAV HOLEČEK https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1751882461353-BBL2A2KL5JDGK2HNJLKC/SlavaL.jpg Our Team - VIACHESLAV LARIONOV https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1767707054645-L86FD67Q0BUJIDJRP0TW/new_yura_pic.jpg Our Team - YURY KASIMOV https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1774182824882-O1IIDGSRAI3429J5G6YY/tigran_id_photo.webp Our Team - TIGRAN OGANESIAN https://www.stratosphereips.org/technology daily 0.75 2017-11-07 https://www.stratosphereips.org/datasets-overview daily 0.75 2023-03-27 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510078874934-TJMWQAYKQ6TFZ1APQ2IO/Screen+Shot+2017-11-07+at+15.15.57.png Datasets Overview https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510078965282-GP6PSJ6TJ42LCQADGS3S/Screen+Shot+2017-11-07+at+15.16.22.png Datasets Overview https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510079032913-7D1KCEIA5WB872AD6JN4/Screen+Shot+2017-11-07+at+15.18.45.png Datasets Overview https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1545396206690-CP7L27LU70C6RI4MO5Y0/aposemat1.jpg Datasets Overview https://www.stratosphereips.org/contact daily 0.75 2026-02-27 https://images.squarespace-cdn.com/content/v1/5411ffcfe4b065f40cc78e37/1410549503016-FX7BY2QPAPQPQZPX8H5W/Trade+18_0559.jpg Contact https://www.stratosphereips.org/datasets-normal daily 0.75 2023-03-27 https://www.stratosphereips.org/datasets-mixed daily 0.75 2023-03-27 https://www.stratosphereips.org/manati daily 0.75 2018-03-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1520700446470-KKMS5KBG6L3WOIPJPAAT/ManaTI_project_3.jpg ManaTI https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1520013595005-XA43RR991AIQQNODXL6M/workflow_manati.png ManaTI ManaTI Workflow https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1520012567957-NZZO8CSX9Z0JPRJ3QVK9/manati_external_intelligence.png ManaTI For seeing the third-party options the user must use the contextual menu https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1520012744315-9U8P548Y515RD1RGP8F3/manati_vt_modal.png ManaTI This image shows a request to VirusTotal about an specific IP https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1520012894979-5GDG31YFVVP61ADBFTUE/manati_vt_moda_domain.png ManaTI This image shows a request to VirusTotal about an specific domain name https://www.stratosphereips.org/stratosphere-ips-for-linux daily 0.75 2020-01-14 https://www.stratosphereips.org/datasets-ctu13 daily 0.75 2023-01-21 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510069396377-GJO1XFHKN81I4TDATY77/Table2.jpg CTU-13 Dataset Table 2. Characteristics of botnet scenarios https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510069489815-A8619PM0C48ZVTAQHQR3/image-asset.jpeg CTU-13 Dataset Table 3. Amount of data on each botnet scenario https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510069535476-AO1EJKKV3EAZLRDOV8ZC/Table4.jpg CTU-13 Dataset Table 4. Distribution of labels in the NetFlows for each scenario in the dataset. https://www.stratosphereips.org/stratosphere-testing-framework daily 0.75 2017-11-08 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510146590265-98TWUTDPX757YQQ6C1OC/letter-assignment-behavioral-models.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510146856679-QIHI9KG0KCPEHQ7Y0G3P/image-asset.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510147953479-G25YFUUYIY79UTVAVPNS/STF-2.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510148048344-QND69SD3IAMZAKIJO85L/STF-3.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510148102549-500X5Z4THWH4LU7DMYWU/STF-3.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510148221417-QLLRCPQ76XP3CGOWRJCP/STF-5.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510148325772-78ZFXKRQV2LDYU0FK01G/STF-6.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510148353702-TIHCL5BQS55HT2TP320J/STF-7.png Stratosphere Testing Framework https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1510148381008-5ECSRUMCE89XFZP5BMLY/STF-8.png Stratosphere Testing Framework https://www.stratosphereips.org/civilsphere daily 0.75 2020-02-14 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1537449378254-Z655KQ4JT35CQNY1B4DP/Civilsphere.jpg Civilsphere Project https://www.stratosphereips.org/aposemat daily 0.75 2020-04-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1545395043096-OHFKO7BHPS1DAHLHAB72/image-asset.jpeg Aposemat Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1545395219028-NBEWHD8OJRRZ5WF8I3R1/avast-logo.jpg Aposemat Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1545394958749-Y40MU9JEGOUFXE1PZE1Z/aposemat1.jpg Aposemat Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576164455528-7NJECTI0SJ45SOWXKKUH/Sebastian_Garcia.jpg Aposemat Project - Sebastian García https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576164342152-JM3VB86OYV02Q4ZY738P/WhatsApp%2BImage%2B2019-08-13%2Bat%2B1.12.23%2BPM%2B%25281%2529.jpg Aposemat Project - María José Erquiaga https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571384989037-2T8ZLO4ZVR5Z19OSCVCD/Thomas%2BO%2527Hara.jpg Aposemat Project - Thomas O'Hara https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587037032091-5IA0JDA7R0KBP6VL3DSX/Screen+Shot+2020-04-16+at+11.03.13.png Aposemat Project - Anna Shirokova https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581259185911-KO0HOR1ULI8YSPMBXJH0/lisandro_ubiedo.jpeg Aposemat Project - Lisandro Ubiedo https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587036766879-GYNGV7D3HL4OJ9CY0LNB/2A0A3027-WEB.JPG Aposemat Project - Masarah Paquet-Clouston https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571847451177-XTZX8QS2W2ABNOI04UX3/ondra-prenek.jpg Aposemat Project - Ondřej Preněk https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1586945945549-PTZ7Y81HEHUOTTQAKQZ4/Screen+Shot+2020-04-15+at+12.17.00.png Aposemat Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1586945945840-F0N3M6EPY948VU4C8FMX/Screen+Shot+2020-04-15+at+12.17.10.png Aposemat Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1586945947199-9J1H87AERYXPX0AE36K7/Screen+Shot+2020-04-15+at+12.17.21.png Aposemat Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1586945947377-1J8B84NC26S8K1W1MZUD/Screen+Shot+2020-04-15+at+12.17.33.png Aposemat Project https://www.stratosphereips.org/datasets-iot daily 0.75 2019-10-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571850434924-K2K6UG0QC72HEOF0GJDU/aposemat1.jpg Aposemat Project: IoT Malware Datasets https://www.stratosphereips.org/job-openings daily 0.75 2025-05-13 https://www.stratosphereips.org/pocorgtfo daily 0.75 2024-10-04 https://www.stratosphereips.org/ludus daily 0.75 2020-10-07 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1561636558480-FDAYQLN8K5126QE9YUEW/Ludus-logo-small.png Project Ludus: Collaborative Defense using Honeypots https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558601433904-FCYRHWOLG3GVKKW338AA/ludus_workflow.jpg Project Ludus: Collaborative Defense using Honeypots https://www.stratosphereips.org/nomad daily 0.75 2019-05-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1558628431459-J604SMTZDHO899EW2CPK/nomad.jpg Nomad https://www.stratosphereips.org/thesis-projects daily 0.75 2025-02-26 https://www.stratosphereips.org/datasets-iot23 daily 0.75 2023-01-30 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579613341917-92NXPN8GHSHO53319UHO/image-asset.png Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579613087928-WUXADJ8AHPXOPH4UI3NC/image-asset.png Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579613229681-8OKSSWOREXNQX0RDG53W/image-asset.png Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579696059713-RJYG39MJVGIIU2OA0P8W/IOT23.jpg Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579615358396-OF4R047U0ST71RQ7PZ8C/Captura+de+pantalla+de+2020-01-21+11-02-27.png Aposemat Project: IoT-23 Dataset Image 1: Amazon Echo device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579626006189-IXMEIMJG1E13942PKOJ1/image-asset.png Aposemat Project: IoT-23 Dataset Image 2: Philips Hue device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579626122123-KQLRZ4VQL0DBFYAAEQ6R/image-asset.png Aposemat Project: IoT-23 Dataset Image 3: Somfy door lock device. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579633409514-STQPQD3Q2SR76RQH1G0A/image-asset.png Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579635449690-12KYOUEH050HMAU4SDCY/image-asset.png Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1620490324777-7GBV1N5OW1N3DAX7F6IZ/Screenshot+2021-05-08+at+17.17.58.png Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579639657226-NVDX437OKF2D1XQ72404/Screenshot_20200121_174544.jpg Aposemat Project: IoT-23 Dataset https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1579640258686-YCEOUK4AZ7EU43B1L4ON/Screenshot_20200121_175629.jpg Aposemat Project: IoT-23 Dataset https://www.stratosphereips.org/polonium-in-my-iot daily 0.75 2020-04-29 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1588158902913-87CW7YK7LDFYJS6L079M/Simple+Hand+Crafted+Etsy+Banner.png Polonium in my IoT https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571848336936-Y4ATE3QQ3GIOE1T28J8A/aposemat1.jpg Polonium in my IoT Aposema project https://www.stratosphereips.org/geost-android-botnet-research daily 0.75 2019-10-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571847875433-TXGKJN5XO9QV07AZTO84/aposemat1.jpg Geost Android Botnet Research https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571848051415-J8FYBCSOLS27B0VGCF45/zhang1-302600a406-large.gif Geost Android Botnet Research https://www.stratosphereips.org/attacker-ip-prioritization-blacklist daily 0.75 2020-09-15 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587645288442-VI96BMHUW07G3PE1HWCQ/iot-3404892_1920.jpg Attacker IP Prioritization Blacklist - AIP Algorithm Its everywhere, and what is going to protect it? https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571847623132-HEWO2HH7YIVSE4SL8KSH/aposemat1.jpg Attacker IP Prioritization Blacklist Apo https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587643784592-QB93854HH51CP4ZIKM6U/DeepinScreenshot_select-area_20200423140832.png Attacker IP Prioritization Blacklist Image 1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587643828765-BTU7I294U1FOYSJZ7LM7/DeepinScreenshot_select-area_20200423140708.png Attacker IP Prioritization Blacklist Image 11 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587643855517-REM8F0RNSOOQ4YGZSDTN/DeepinScreenshot_select-area_20200423140805.png Attacker IP Prioritization Blacklist Image 111 https://www.stratosphereips.org/telnet-users-profiling-and-detection daily 0.75 2019-10-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571847718905-D932FVZ7QPV3WKOJLFEA/aposemat1.jpg Telnet Users Profiling and Detection https://www.stratosphereips.org/iot-irc-malware-detection-with-ml daily 0.75 2019-10-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571848121762-KH3S6LDTPO071OLMZDDV/aposemat1.jpg IoT IRC Malware Detection with ML https://www.stratosphereips.org/iot-laboratory-honeypots daily 0.75 2019-10-23 https://www.stratosphereips.org/iot-vulnerability-analysis daily 0.75 2019-10-23 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1571849052300-G08JHK5BYZOQ1Y3J0SNU/aposemat1.jpg IoT Vulnerability Analysis https://www.stratosphereips.org/kalipso daily 0.75 2020-01-14 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576259549669-W42359MI5PINT5H4A4FU/image4.png Kalipso Kalipso initial state - main board https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576259579634-GCQ970PV3424KZO8SPBY/image2.png Kalipso E hotkey - SrcPortClient https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576482812962-2VVR6UURNXAOSJD95792/image3.png Kalipso C hotkey - dstIPsClient https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576482991970-DJ7K2MPU958Z7OVU1VKM/image7.png Kalipso B hotkey - dstPortServer https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576483210285-H6HYMRPQH1L1IMU8HE09/image8.png Kalipso P hotkey - dstPortsClient https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576483296855-P7HDSIGSPEWUF3CKB0ZL/image6.png Kalipso N hotkey - dstPortsClientIPs https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576483381477-MPDCN8DGGPT8S09UW97L/image-asset.png Kalipso H hotkey - OutTuples https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1576483550563-JGVAKA6W13EWI0FS8VKU/image5.png Kalipso M hotkey - map https://www.stratosphereips.org/zeek-irc-feature-extractor daily 0.75 2020-02-13 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580936940630-0CNNGSY82EUSXRL16OIL/zkg-logo.png Zeek IRC Feature Extractor https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580977114128-OB7WKCME45AI90EQ61PZ/irc-connection.png Zeek IRC Feature Extractor Figure 1. Example of IRC connection - IRC connection that is defined by source IP address 192.168.0.1, destination IP address 192.168.0.2, and destination port 440. Source port is neglected, and therefore one IRC connection can have multiple source ports. The IP addresses and ports are chosen randomly for demonstration purposes. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1581002030804-K3G4ATBQF7J39092CO7L/formula_per_blackbox.png Zeek IRC Feature Extractor https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580937002036-5KZTKLQQK3DKN8USTN7P/periodicity_sketch.png Zeek IRC Feature Extractor Figure 2. Illustration of how message periodicity is computed. The time differences between messages and FFT output numbers are chosen randomly for demonstration purposes. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580998524096-CNWJ2FECD016CSVTTG4L/formula_entropy.gif Zeek IRC Feature Extractor https://www.stratosphereips.org/zeek-anomaly-detector daily 0.75 2020-02-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580839183487-MVP50E240OBO6AMOBOVR/Scenario14_Screenshot+2020-01-15+at+10.15.30.png Zeek Anomaly Detector https://www.stratosphereips.org/should-i-click daily 0.75 2020-02-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580813415752-0CCHJYOG4HDSDFA4ZKCW/Screenshot+2020-02-04+at+11.46.24.png Should I Click https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580815407756-ZH6YFU8J38BFQSI9F53E/Screenshot%2B2020-02-04%2Bat%2B12.20.07.jpg Should I Click Example of a real Google identity verification page. We can see that the domain is accounts.google.com with a valid HTTPS certificate. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580815364785-UTFWSX6KFFPNVFYWWPHO/evil_twin_example.png Should I Click Example of an evil twin website attempting to imitate a Google identity verification page. However we can see that the domain is "minivale.com" and not Google Accounts. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580814993868-8CU3R8DTWP8OKKZ8VSVL/scam_1.png Should I Click Example of a scam website, offering a free iPhone to the user to steal his personal data. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580815013867-5A65CFCJS3AQDW87QGOZ/Spotify-Giveaway-scam-survey.jpg Should I Click Example of a scam website, offering a Spotify code to get a free premium subscription. https://www.stratosphereips.org/hexa-payload-decoder daily 0.75 2020-02-04 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580832201148-Z2K13UICC2BWBCS3BY3I/image-asset.png Hexa Payload Decoder The Hexa Payload Decoder tool is able to process a pcap file and output any identified encoded strings, decoded and translated to English. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580832309042-9OCDZM8UM311LQL9Y2VS/Hexa%2BPayload%2BDecoder%2B-%2B2.png Hexa Payload Decoder Figure 2: Suspicious data finding at Mirai port 4441 in Wireshark and its TCP Stream. The decoded hexadecimal payload cant be read with Wireshark. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580832791445-YPMRUCYDRLDPGAWZCGR8/Hexa%2BPayload%2BDecoder%2B-%2B3.png Hexa Payload Decoder Figure 3: Running the Hexadecimal Decoding and Translating tool with the suspicious port 4441 TCP Stream pcap file. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1580832827382-F4PFN3H6MUQFTIX56ATF/Hexa%2BPayload%2BDecoder%2B-%2B4.png Hexa Payload Decoder Figure 4: Checking the results of the analysis done. The word user in Russian can be seen after the decoding and translating process. https://www.stratosphereips.org/datasets-faq daily 0.75 2024-08-13 https://www.stratosphereips.org/aip-tool daily 0.75 2020-07-27 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1587646918080-KDIGMRSQIBIHJPTXX4PF/smart-home-4658636_1920.jpg AIP Tool - AIP Tool Attacker IP Prioritizer Tool https://www.stratosphereips.org/a-study-of-rats daily 0.75 2020-10-02 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601561619845-Z1Q7480GB5F98SLEG1K3/Veronica-Valeros.jpg A Study of RATs Veronica Valeros, veronica.valeros@aic.fel.cvut.cz, @verovaleros https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601624812172-RGUGYOJ841SH04CJY4KQ/Timeline+1.0.jpg A Study of RATs - Timeline 1.0 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601624859448-ZOS0HTSRNGIJDW31LNBS/Timeline+1.1.jpg A Study of RATs - Timeline 1.1 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601624859660-BRP3CZELHOTWANWZ02RZ/Timeline+1.2.jpg A Study of RATs - Timeline 1.2 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601624860310-GX1NAUQ6VT0S1B1R7EAI/Timeline+1.3.jpg A Study of RATs - Timeline 1.3 https://www.stratosphereips.org/a-study-of-iot-malware daily 0.75 2020-10-02 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601631733951-6R4TL3BD0MYGPG7LEQQE/image-asset.jpeg A Study of IoT Malware Main contact: Veronica Valeros, veronica.valeros@aic.fel.cvut.cz, @verovaleros https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601631041593-4UTUELPPI2CUY9E4CUL6/IoT+Research+-+Timeline+1.0.jpg A Study of IoT Malware - Timeline 1.0 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601631817492-XR628I4QIHBI08TBZO7N/image-asset.jpeg A Study of IoT Malware https://www.stratosphereips.org/icarus-project daily 0.75 2020-10-06 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601968558452-SL7MBEHGKOE60K1ODKQ1/logo_hubd07df05cf1faee0af1a1547178b69a4_20304_600x300_fill_catmullrom_smart1_2.png Icarus Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601968391827-AZ8PMNWBON2HWMST7PK5/mohamed.jpeg Icarus Project Researcher: Mohamed Tita, OTF Fellow Site: fightcensorship.tech https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601969017613-1TAWSVVW7QQGNVMGFKLB/image.jpg Icarus Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1601968929499-65WJ2I7XY5GN4TCLC8JF/image-asset.jpeg Icarus Project https://www.stratosphereips.org/android-mischief-dataset daily 0.75 2021-06-30 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1605871091259-TYR5YHMI8MWGPHE62CH8/rats.jpeg Android Mischief Dataset https://www.stratosphereips.org/sebastian-garcia daily 0.75 2025-04-29 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1606126689665-0ROA6C41PQHY2ABRZZ5R/Perfil-chica.jpg Sebastian Garcia https://www.stratosphereips.org/veronica-valeros daily 0.75 2025-10-29 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1613147763056-1D76AQLLVY9RRKLDDI0Z/veronica+valeros.jpg Veronica Valeros https://www.stratosphereips.org/civilsphere-aivpn daily 0.75 2021-02-15 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1613393031186-A0E8D1JVSQDZCDA9O53N/NLNet%2BFoundation.png Civilsphere AI-VPN - Financially Supported by NLNET Foundation https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1613393278953-2DENE97WACMLCBN8N9S2/sebastian.jpg Civilsphere AI-VPN Assistant Professor Sebastian Garcia, PhD Sebastian Garcia is a malware researcher and security teacher with experience in applied machine learning on network traffic. He founded the Stratosphere Lab, aiming to do impactful security research to help others using machine learning. As Assistant Professor and researcher, he believes that free software and machine learning tools can help better protect users from abuse of our digital rights. He researches on machine learning for security, honeypots, malware traffic detection, social networks security detection, distributed scanning (dnmap), keystroke dynamics, fake news, Bluetooth analysis, privacy protection, intruder detection, and microphone detection with SDR (Salamandra). He taught in several Universities and worked on penetration testing for both corporations and governments. He talked in conferences such as BlackHat, Defcon Villages, Ekoparty, DeepSec, Hackitivy, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCon, Free Software Foundation Europe, VirusBulletin, BSides Vienna, HITB Singapore, CACIC, AAMAS, etc. He co-founded the MatesLab hackspace in Argentina and co-founded the Independent Fund for Women in Tech. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1613393260364-DX8B6VZ82E40IZUEZZHW/veronica%252Bvaleros.jpg Civilsphere AI-VPN Veronica Valeros, Ing. Veronica Valeros is a senior researcher and project leader at the Stratosphere Research Laboratory in the Czech Technical University in Prague. She has more than 9 years of experience in cyber security. Veronica's research strongly focuses on helping people. She currently specializes in threat intelligence, malware traffic analysis, and data analysis. She has made her career in both industry and academia. In her current position as a project leader, Veronica helps driving forward the research and development projects, improves processes, and drives the community engagement of the groups she works with. As a senior researcher, Veronica's is responsible for the research, development, and customer support at the Civilsphere project, dedicated to protecting civil society organizations and individuals at risk from targeted digital threats. Veronica has presented her research at international conferences such as Black Hat, EkoParty, Botconf, Virus Bulletin, Deepsec, and others. She is the co-founder of the MatesLab hackerspace based in Argentina and co-founder of the Independent Fund for Women in Tech. https://www.stratosphereips.org/ad-honeypot-game daily 0.75 2021-10-07 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614878983856-UAK3UQKIB68D6B2R3J4Z/elephant-4474027_1920.jpg AD-Honeypot Evasion Game https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1614879708212-RUQD3NUQ9CR6SBXBPLGN/elephants-279505_1920.jpg AD-Honeypot Evasion Game This game supports the Safe the Elephants Fund. https://www.stratosphereips.org/hornet-network-dataset-of-geographically-placed-honeypots daily 0.75 2021-08-05 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1621337311091-1BYCNXV5CRE7GG7DD519/Hornet+Network+Dataset+of+Geographically+Placed+Honeypots.png Hornet: Network Dataset of Geographically Placed Honeypots - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1628195173715-F99FFYIQ9WWCGYRKPWF4/0a4eea39-bb0c-44a1-820a-840719b4801f.png Hornet: Network Dataset of Geographically Placed Honeypots - Make it stand out Distribution of the number of flows per hour per scenario in logarithmic scale. https://www.stratosphereips.org/feel-project daily 0.75 2022-11-09 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1667964415836-4L1GBFMZBIORO2RII0QM/FEEL+Project+Design.jpg FEEL Project https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/1667964160820-3H3LLVYSRO0JDE9HHUS5/FEEL+Project+Design.jpg FEEL Project - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/gsoc daily 0.75 2024-02-29 https://www.stratosphereips.org/the-blocklist-generation-project daily 0.75 2024-10-30 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/6229e686-3eab-4120-b590-61ced12ef872/AIP_Diagram.png The Blocklist Generation Project - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/defensive-llms daily 0.75 2023-11-10 https://www.stratosphereips.org/projects/ai-dojo daily 0.75 2026-03-10 https://images.squarespace-cdn.com/content/v1/5a01100f692ebe0459a1859f/d1f08d62-23d1-40e2-9062-c8ab131fe26f/aidojo.jpg AI Dojo - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://www.stratosphereips.org/cybercrime-research daily 0.75 2025-05-06