http://localhost:4000/ Colin Cowie's security blog about malware research, threat intelligence and DFIR. 2025-03-16T13:47:24-07:00 Colin Cowie http://localhost:4000/ Jekyll © 2025 Colin Cowie /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png 2025-03-15T00:00:00-07:00 2025-03-15T00:00:00-07:00 http://localhost:4000/2025/CTI-Network-Graphing Colin Cowie

Network Graphing with Python Network graphs are a nice way to visualize relationships and investigate data. Many threat intelligence platforms provide built-in network graphing features, including Maltego, OpenCTI and MISP. Maltego, for example, claims to have over 2,000 government customers. This blog highlights how to create basic network graphs using Python. Graphing Libraries There are ...

2023-03-13T00:00:00-07:00 2023-05-27T11:58:41-07:00 http://localhost:4000/2023/New-JS-Malware-Fake-Invoices Colin Cowie

Decoding a New JavaScript Malware Campaign Recently researchers from HuntressLabs shared data about a case where a fake DocuSign document resulted in a network compromise involving AvosLocker & data collection with RClone. HuntressLabs identified the initial infection vector as a file with the name: Invoice-DocuSign-Mar03-2023.js Part 1: Gathering Samples on VirusTotal Leveraging VirusTo...

2022-12-28T00:00:00-08:00 2022-12-28T00:00:00-08:00 http://localhost:4000/2022/ChatGPT-LeakSite-Analysis Colin Cowie

Using ChatGPT to Visualize Ransomware Leak Site Data Recently I wanted to test out if I could use OpenAI’s ChatGPT to assist with analyzing trends around ransomware leak site postings. Project Setup The Raw Data RansomWatch is a publicly accessible project that monitors ransomware leak sites and posts metadata to their website. Technical details on RansomWatch can be found on Github. For...

2022-10-30T00:00:00-07:00 2022-10-30T00:00:00-07:00 http://localhost:4000/2022/Yanlouwang-Leaks Colin Cowie

Yanlouwang Ransomware Leaks Analysis On October 31st the twitter account @yanluowangleaks published communication data from Yanlouwang ransomware. The data appear to be leaked from matrix chat servers. Overview of Leaked Data Leaked Data File Names hello1.json hello2.json hello3.json hello4.json coder-saint.json stealer-felix.json All unique matrix usernames: '@killanas', '@s...

2022-07-02T00:00:00-07:00 2022-07-02T00:00:00-07:00 http://localhost:4000/2022/RATs-Targeting-Open-Source Colin Cowie

Minecraft & IT software targeted with fake websites & Remote Access Trojans Background research In January of 2022 Félix Aimé from SEKOIA shared a detailed twitter thread about a threat actor targeting open source projects. Some of the domains that Félix proactively shared were hosted and abused. Bleeping Computer published an article about this campaign titled: Trojanized dnSp...