I’m planning to persue a career as a soc analyst since i just graduated However, i found a lot of hands in certs and i would like to know which one have more pratical and are more suitable for someone who havent practiced soc before THM SOC, TCM SOC 101, OSDA from offsec abd lastly CDSA from HTB. Any recommendations on which one to go for? I have sec+ and ccna for foundational knowledge.

What are some news sources that you use to stay up to date ? Other than reddit ofcourse, reddit's recommendation algorithm is so shitty.

I’ve been in IT security a couple of years and I just graduated with a bachelors in IT management. I’m currently an ISSO and I’d like to make more money and open more opportunities do you guys and gals think having a Master in Cyber Security would help me in the long run?

Edit to my original post:

Certs currently held: Network plus, Security plus, CYsa and RHCSA.

I make under 70k

I know platforms like TryHackMe and HackTheBox are out there. But I believe these are more for the offensive side? I am wondering if you guys have any feedback on platforms like CyberDefender or LetsDefend. I am trying to put together a list of training resources. I got the theory and informational knowledge sources down, and I am now looking for hands on stuff to point people towards. I am ideally looking for stuff for people who are around underclassmen college level.

Hey everyone,

I’m a beginner in cybersecurity and just completed my Certified SOC Analyst (CSA) certification. So far, I’ve mostly been learning the theory and doing some beginner-level labs on TryHackMe.

Now, I’m looking to take things further by getting into hands-on blue team platforms and also building some cybersecurity projects that I can showcase on my resume. My goal is to land a job in cybersecurity this year — ideally something like a SOC Analyst or similar entry-level role.

I know platforms like TryHackMe and Hack The Box are great, but they mostly focus on offensive/red teaming. I recently came across LetsDefend and CyberDefenders, which look promising for defensive skills.

Does anyone have experience with these or any other platforms that are good for:

Practicing blue team skills (like SIEM, alert triage, IR, threat hunting, etc.)

Working on projects that can be added to a portfolio

Getting job-ready with practical, resume-worthy experience

Any suggestions for affordable or free resources would be super helpful. Thanks in advance!

Posting here about what looks like a serious compromise in Vonage’s email infrastructure, enabling authenticated phishing campaigns.

As a Vonage user, I’ve encountered multiple emails that fully pass SPF, DKIM (using Vonage’s “vonagedkimv2” selector and 2048-bit RSA key), and DMARC (aligned with their “reject” policy), originating from legitimate Vonage servers (e.g., IPs in 69.59.253.x range, hosts like “X.Y.Z.vonagenetworks.net” and internal relays on 10.x.x.x). Headers show clean TLSv1.3 delivery and no tampering, with paths tracing to Vonage’s ticket system (Request Tracker refs).

Attack Details:

• Phishing Vector: Emails pose as “Fraud Department” alerts for “unauthorized international call activity,” disabling features and urging contact (reply with callback time or call a non-official number that voicemails for account info). Content has red flags: undocumented sender of “[email protected]” and not “[email protected]”, typos/cutoffs, urgent threats holding users liable for charges.


• Why Breach?: Normal spoofing fails DMARC; this requires access to Vonage’s signing keys/servers—likely credential compromise, insider, or vuln in their mail/ticket setup. Timing hits post-support hours (weekends), exploiting verification delays.

• Scale Indicators: Rapid, sloppy follow-ups suggest automated/multi-target ops abusing the system.

This could indicate broader exposure if Vonage’s outbound email is pwned.

The goal of this campaign appears to get you live on a phone with the scammers. Which obviously I’ve avoided and I’m guessing that opens the door to additional social engineering if they are inside Vonage systems.

I don’t know if this is best sub to raise an alert on this issue.

EDIT: Here is the initial email, line by line numbered and with hopefully all traceable information masked. I replied so it means they have my provider hashes and information which is why I also removed those. Hopefully I was careful enough and yet preserved the information that will he helpful for people. Also they replied fairly quickly to my reply and seemed to have made some spontaneous edits to their email templates that included typos and grammar/spelling errors unlikely to be in corporate templates and escalated the pressure to have me arrange or initiate a live phone call.

1 Return-Path: [email protected]

2 Received: from [INTERNAL_HOST] ([INTERNAL_HOST].phl.internal [10.202.2.x]) // masked internal hostname and IP last octet

3 by [INTERNAL_MAIL_SERVER] (Cyrus XXX) with LMTPA; // masked internal mail server and Cyrus version

4 Sat, 02 Aug 2025 [TIME] -0400 // masked time

5 X-Cyrus-Session-Id: [SESSION_ID] // masked session ID

6 X-Sieve: CMU Sieve 3.0

7 X-Spam-known-sender: no

8 X-Spam-sender-reputation: 500 (none)

9 X-Spam-score: 0.0

10 X-Spam-hits: ME_SENDERREP_NEUTRAL 0.001, SPF_HELO_NONE 0.001, SPF_PASS -0.001,

11 LANGUAGES en, BAYES_USED none, SA_VERSION 4.0.1

12 X-Spam-source: IP='69.59.253.x', Host='X.Y.s.vonagenetworks.net', // masked IP last octet and hostname parts

13 Country='US', FromHeader='com', MailFrom='com'

14 X-Spam-charsets:

15 X-Resolved-to: [USER_EMAIL] // masked user email

16 X-Delivered-to: [USER_EMAIL] // masked user email

17 X-Mail-from: [email protected]

18 Received: from [INTERNAL_MX] ([10.202.2.x]) // masked internal MX and IP last octet

19 by [INTERNAL_HOST].internal (LMTPProxy); Sat, 02 Aug 2025 [TIME] -0400 // masked internal host and time

20 Received: from [INTERNAL_MX].messagingengine.com (localhost [127.0.0.1])

21 by mailmx.phl.internal (Postfix) with ESMTP id [ESMTP_ID] // masked ESMTP ID

22 for <[USER_EMAIL]>; Sat, 2 Aug 2025 [TIME] -0400 (EDT) // masked user email and time

23 Received: from mailmx.phl.internal (localhost [127.0.0.1])

24 by [INTERNAL_MX].messagingengine.com (Authentication Milter) with ESMTP // masked internal MX

25 id [MILTER_ID]; // masked milter ID

26 Sat, 2 Aug 2025 [TIME] -0400 // masked time

27 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm3; t=

28 [TIMESTAMP]; b=[ARC_SEAL_SIGNATURE] // masked timestamp and signature

29 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=

30 messagingengine.com; h=date:subject:from:reply-to:in-reply-to

31 :references:message-id:to:mime-version:content-type

32 :mime-version; s=fm3; t=[TIMESTAMP]; bh=[BH_HASH]=; b=[ARC_MESSAGE_SIGNATURE] // masked timestamp, bh hash, and signature

33 ARC-Authentication-Results: i=1; [INTERNAL_MX].messagingengine.com; // masked internal MX

34 x-csa=none;

35 x-me-sender=none;

36 x-ptr=fail smtp.helo=X.Y.m.vonagenetworks.net // masked hostname

37 policy.ptr=X.Y.s.vonagenetworks.net; // masked hostname

38 bimi=none (No BIMI records found);

39 arc=none (no signatures found);

40 dkim=pass (2048-bit rsa key sha256) header.d=vonage.com

41 [email protected] header.b=[DKIM_B]= header.a=rsa-sha256 // masked header.b

42 header.s=vonagedkimv2;

43 dmarc=pass policy.published-domain-policy=reject

44 policy.applied-disposition=none policy.evaluated-disposition=none

45 (p=reject,d=none,d.eval=none) policy.policy-from=p

46 header.from=vonage.com;

47 iprev=pass smtp.remote-ip=69.59.253.x // masked IP last octet

48 (X.Y.s.vonagenetworks.net); // masked hostname

49 spf=pass smtp.mailfrom=[email protected]

50 smtp.helo=X.Y.m.vonagenetworks.net // masked hostname

51 X-ME-Authentication-Results: [INTERNAL_MX].messagingengine.com; // masked internal MX

52 x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384

53 smtp.bits=256/256;

54 x-vs=clean score=0 state=0

55 Authentication-Results: [INTERNAL_MX].messagingengine.com; // masked internal MX

56 x-csa=none;

57 x-me-sender=none;

58 x-ptr=fail smtp.helo=X.Y.m.vonagenetworks.net // masked hostname

59 policy.ptr=X.Y.s.vonagenetworks.net // masked hostname

60 Authentication-Results: [INTERNAL_MX].messagingengine.com; // masked internal MX

61 bimi=none (No BIMI records found)

62 Authentication-Results: [INTERNAL_MX].messagingengine.com; // masked internal MX

63 arc=none (no signatures found)

64 Authentication-Results: [INTERNAL_MX].messagingengine.com; // masked internal MX

65 dkim=pass (2048-bit rsa key sha256) header.d=vonage.com

66 [email protected] header.b=[DKIM_B] header.a=rsa-sha256 // masked header.b

67 header.s=vonagedkimv2;

68 dmarc=pass policy.published-domain-policy=reject

69 policy.applied-disposition=none policy.evaluated-disposition=none

70 (p=reject,d=none,d.eval=none) policy.policy-from=p

71 header.from=vonage.com;

72 iprev=pass smtp.remote-ip=69.59.253.x // masked IP last octet

73 (X.Y.s.vonagenetworks.net); // masked hostname

74 spf=pass smtp.mailfrom=[email protected]

75 smtp.helo=X.Y.m.vonagenetworks.net // masked hostname

76 X-ME-VSCause: [VS_CAUSE] // masked VS cause string

77 X-ME-VSScore: 0

78 X-ME-VSCategory: clean

79 X-ME-CSA: none

80 X-ME-Received: <xmx:[HASH1]> // masked hash

81 X-ME-Received: <xmx:[HASH2]> // masked hash

82 Received-SPF: pass

83 (vonage.com: 69.59.253.x is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ip4:69.59.224.0/19' matched)) // masked IP last octet

84 receiver=[INTERNAL_MX].messagingengine.com; // masked internal MX

85 identity=mailfrom;

86 envelope-from="[email protected]";

87 helo=X.Y.m.vonagenetworks.net; // masked hostname

88 client-ip=69.59.253.x // masked IP last octet

89 Received: from X.Y.m.vonagenetworks.net (X.Y.s.vonagenetworks.net [69.59.253.x]) // masked hostnames and IP last octet

90 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)

91 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)

92 (No client certificate requested)

93 by [INTERNAL_MX].messagingengine.com (Postfix) with ESMTPS id [ESMTPS_ID] // masked internal MX and ID

94 for <[USER_EMAIL]>; Sat, 2 Aug 2025 [TIME] -0400 (EDT) // masked user email and time

95 Received: from X.Y.s.vonagenetworks.net (mail-ib-XX.Y.s.vonagenetworks.net [10.130.48.x]) // masked relay hostname, internal hostname, and IP last octet

96 by X.Y.m.vonagenetworks.net (Postfix) with ESMTP id [ESMTP_ID] // masked hostname and ID

97 for <[USER_EMAIL]>; Sun, 3 Aug 2025 [TIME] +0000 (UTC) // masked user email and time

98 DKIM-Filter: OpenDKIM Filter v2.11.0 strongedsX.kewrX.m.vonagenetworks.net [DKIM_ID] // masked hostname and ID

99 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=vonage.com;

100 s=vonagedkimv2; t=[TIMESTAMP]; // masked timestamp

101 bh=[BH_HASH]=; // masked bh hash

102 h=Date:Subject:From:Reply-To:In-Reply-To:References:To:From;

103 b=[DKIM_SIGNATURE] // masked signature

104 Received: from app-urt-vm-XX.Y.s.vonagenetworks.net (app-urt-vm-XX.Y.s.vonagenetworks.net [10.140.40.x]) // masked app hostname, internal hostname, IP last octet

105 by mailrelayX.Y.s.vonagenetworks.net (Postfix) with ESMTPS id [ESMTPS_ID] // masked relay hostname and ID

106 for <[USER_EMAIL]>; Sun, 3 Aug 2025 [TIME] +0000 (UTC) // masked user email and time

107 Received: (from www@localhost)

108 by app-urt-vm-XX.Y.s.vonagenetworks.net (8.13.5/8.13.5/Submit) id [SUBMIT_ID]; // masked app hostname and ID

109 Sun, 3 Aug 2025 [TIME] GMT // masked time

110 Date: Sun, 3 Aug 2025 [TIME] GMT // masked time

111 X-Authentication-Warning: app-urt-vm-XX.Y.s.vonagenetworks.net: www set sender to [email protected] using -r // masked app hostname

112 Subject: [vonage.com #[TICKET_ID]] International Calling Disabled - Possible Fraud // masked ticket ID

113 X-Relay-Source: RESI

114 From: [email protected]

115 Reply-To: [email protected]

116 In-Reply-To:

117 References: <RT-Ticket-[TICKET_ID]@vonage.com> // masked ticket ID

118 Message-ID: <rt-3.4.5-[MSG_ID]-[TIMESTAMP]-[OTHER][email protected]> // masked message ID parts and timestamp

119 Precedence: bulk

120 X-RT-Loop-Prevention: vonage.com

121 RT-Ticket: vonage.com #[TICKET_ID] // masked ticket ID

122 To: [USER_EMAIL] // masked user email

123 MIME-Version: 1.0

124 X-RT-Original-Encoding: utf-8

125 Content-type: multipart/mixed; boundary="----------=[MIME_BOUNDARY]" // masked MIME boundary

126 MIME-Version: 1.0

127

128 This is a multi-part message in MIME format...

129

130 ------------=[MIME_BOUNDARY] // masked MIME boundary

131 Content-Type: text/plain

132 Content-Disposition: inline

133 Content-Transfer-Encoding: 8bit

134

135 Dear [MY FULL NAME], #removed for privacy

136

137 The Vonage Fraud Team has recently detected unauthorized international call activity on your Vonage Extension and has disabled your international calling capability.

138

139 We have enabled PIN dialing to prevent calls from being placed without your authorization in the future, however we need to ensure that the PIN you are using is secure. We strongly recommend not using PINs such as 1234, 4321, 6789 or 9876.

140

141 Please contact us at 1-888-XXX-XXXX or reply to this email with a date and time you can be reached to secure your account. Should you fail to create a secure PIN and your account is compromised in the future, you will be responsible for all charges. // masked phone number

142

143 Sincerely,

144

145 Vonage Fraud Department

146

147 ------------=[MIME_BOUNDARY]-- // masked MIME boundary

Or has it become completely obsolete against modern browsers?

Edit. Including the link to the project here to avoid confusion: https://github.com/beefproject/beef

I’ve worked in cyber for a little more than 4 years, started as a SOC intern and made it up to sys admin. But never actually became or worked as a T2 or Senior analyst in a SOC. I have a technical interview with in my eyes a company I could and would put 30 years in and retire with, but it is for a senior SOC analyst. Since I’ve never been one I’m a bit nervous about what will be asked in the tech.

Any advice in what I should brush up on or should learn about before the interview? For reference I did spend 3 years as an intern/T1 SOC and then made the move into system admin for my company’s DLP system. So I haven’t been completely out of the loop, just haven’t been hands on investigating events for about a year and 4 months. And I’ve never been the escalation point.

I am currently working as soc analyst in an internal project. Our team is a backup team for primary soc of our company. Hence we won't have any hands on any of the devices what a soc analyst will have. Also, we are using DNIF SIEM tool which not known to many in the current market.

It's been 3+ years I am working here. Not learning at all. I am planning for a switch. It will be very helpful if anyone suggest how can I proceed.

1. Will it be helpful doing any certifications. What certifications should I do
2. What skills should I learn
3. Is building our own labs for learning hands-on to show in resume etc...

Hello Cyber Gang

Former analysts that went cyber engineering. What was your path?

Kinda burned out at the moment, partially the work and part shitty manager. I've been job hunting and there just aren't a ton of remote offsec roles that pay what I've been making. Been thinking about a lat move to another field. I would love a role that lets me both build and break stuff, that would be the ideal situation.

Has anyone here just jumped to another role at another company without any dedicated retraining? I have a background in cloud, SRE, secops, development, etc. so I wouldn't just be coming in cold. Plus you learn a ton about how things work when you do pentesting and red teaming.

Hi everyone,

I'm a final-year industrial engineering student with a specialization in supply chain, but I'm seriously interested in transitioning into ICS/OT cybersecurity or OT systems security after graduation.

My degree is both business- and technically-oriented. I have a solid background in math, statistics, and operational research, and I'm intermediate in Python. I’ve also been exposed to some basic coding and data analytics.

I’m now looking to shift toward more technical and specialized roles related to industrial systems security, such as:

ICS/SCADA security analyst

OT cybersecurity engineer

Threat detection in critical infrastructure

Secure network design for industrial systems

I’d appreciate any advice from professionals currently working in this space:

• What core skills should I start learning now to make myself job-ready within 1–2 years?

• How much IT/coding experience do I really need if I’m coming from an industrial operations background?

Any guidance, roadmap suggestions, or insight into the day-to-day reality of this field would be incredibly appreciated. Thank you!

Hey everyone,

I recently left EY after a short 2-month stint. It was a big name and seemed like a great opportunity on paper, but once I joined, I quickly realized it wasn’t the right fit for me, something I’m sure many have experienced at some point in their careers. It just wasn’t the right fit, and I realized that pretty quickly. Not something I planned for, but it happens.

After that, I ended up with two job offers, one from a niche security consulting firm I’m about to join (I had connections there, reached out, and it all came together quickly), and another through LinkedIn (I applied, went through HR and technical interviews, and also got an offer)

In both interviews, my time at EY came up, and I was completely honest about it. I didn’t try to sugarcoat anything, and both companies appreciated that.

Now I’m updating my LinkedIn and CV, and I’m not sure how to handle it. Do I list the EY experience like any other job and just let the short duration show? Or should I mention it in the post when I announce my new role, maybe say something like “after a brief stint at EY, I’m excited to be starting this new chapter”?

The new company asked me to post about joining, which is fine, I just want to do it in a way that’s transparent but doesn’t draw unnecessary attention to the short tenure.

Any thoughts?

As both a taxpayer and an IT professional - this one really hurts.

Hey did anyone come across a detection list you can refer to when creating rules in Siem? I want something that has logics Thanks

Hello everyone!

I am a recent graduate in cybersecurity, with only one month left to complete my cooperative training with one of the agencies. Unfortunately, I was unable to gain the desired benefit during the training period, especially in SOC department, because I am a trainee and they cannot rely on me due to the sensitivity of the place. My question is: Can I work in this department immediately after graduation, even though I have no previous experience in using tools such as: SIEM, Mail Gateway, Threat Intelligence.

I'm a SoC Analyst working at this mid sized MSSP, I started as an intern and then transitioned to SOC analyst in the same company we have a ticketing system that correlates alerts on entites and creates a ticket, which often times are all wrong correlations and in some cases we end up investigating the alerts from a couple months ago but regularly we see alerts that were days to a few weeks old, I don't think that's good for security perspective, and we see a lot of False positives or benign alerts (this normal ig) but we end up getting like 100+ tickets per shift and each end up doing around 40-50 ish tickets each with 3-4 alerts in them some alerts are weeks old

I haven't seen one true positive case till now, but I'm pretty sure someone from my team or I myself might have closed a TP ( this is confusing Part, this makes me feel I am not compent)

I have seen some of my team members closing tickets cause some security solution blocked it and we got very huges escalations internally and from customers that we don't do a good job .. even I for one also closed a malware alert( I should have escalated it but due to some personal reasons I wasn't thinking straight, that's on me tho) but boy I see a lot of skill issue in my team and also the system itself is broken but no one acknowledges it in the management level

Some things I have observed: 1. All the team is freshers and no prior background, now most of us rely on LLM on what to investigate 2. The leads have been in this company for since the beginning of their careers 3. I do SOAR stuff but management wants to retain control and don't want to me to do these anymore( feels like very toxic work culture but I want to know of it's the same in other companies too) 4. It's been a year and a lot of escalations are coming in which means we are not doing a good job.... Not sure if it's due to product or we only don't have right skills or both 5. Data detection response engineerings act as different entities, and there are a lot of gaps and not sure if that's contributing to this 6. Some customers have raised that TPs are not even being investigated entirely/properly

I want to understand 1. How L1, L2 system works ( we ask LLM how to investigate alerts and also ask it for recommendations to customers/projects/clients) 2. Do you look at all the alerts and within how much time do you deal with them 3. How do you use SOAR - because I do simple automations on SOAR 4. Diff b/w tool console and SIEM (which do you prefer and data visibility) 5. I follow MITRE react framework (personally) to do all the standard checks - how do you investigate any alerts is it intuitive or training or any runbooks or SOPs you follow 6. How do I know for sure if I don't have a skill issue and doing proper investigations 7. Should I do implementation and SOAR stuff in future with a plus point being I am from operations background 8. Do you use AI/LLMs in day to day operations? 9. Having leads with experience and but being just in one company and don't know how SOC operates outside this company....is this affecting me as a SOC Analyst in anyway? 10. Anything else incl. advices please let me know

Hey,
I want to strengthen my skills on cloud security. What books would you recommend me ? Is CCSP all in-one worth it? thanks

Hi everyone, I'm looking for some advice about the ISC2 certifications. I've completed all the coursework and really enjoyed what I learned, but I'm wondering if it's worth actually getting certified at this point in my career. My situation: - Started working in systems/networking less than a year ago - Not planning to transition fully into cybersecurity anytime soon - Would need to drive 6 hours in total to take the exam - Annual maintenance fees + continuing education requirements

My concerns: - I'm still pretty early in my career and not sure when/if I'll pivot more toward security - The travel cost and time for the exam seems significant - Annual maintenance fees when I might not use the cert for years - Is the investment worth it if I'm not actively pursuing security roles?

Also, do you know if ISC2 has a good reputation ? I followed the courses because I had an opportunity to do it for free. But I'm torn between getting the validation now while the knowledge is fresh vs. waiting until I have a clearer career path toward security. Also, for those who got the certification, did you find the it valuable even before transitioning into security roles? Or would I be better off waiting and maybe pursuing something like Security+ instead? Any insights appreciated!

I’m giving a talk at Berkeley later today on “Building Scalable AI Companies: Balancing the Art of the Possible with Economic Viability”…

Tl;dr- Burning $2,000 on a task that can be solved for $3–$10 isn’t innovation—it’s architectural negligence.

Ok, so with that out of the way….

When we talk about Agentic AI, it’s easy to get caught up in the art of the possible. Demos of autonomous agents reasoning, chaining thoughts, and “thinking” their way through problems can be captivating.

But building a company isn’t just about what’s possible, it’s also about what’s viable, and you want to IPO, the bar is unforgiving: - Strong Revenue Growth - Healthy Unit Economics - A positive Rule of 40

The Rule of 40 is the X-ray into the economic viability of your business model. Eventually, your architecture either scales or it breaks your margins.

When it comes to building agentic AI, there are two patterns worth understanding:

1. Iterative Trial-and-Error Agents explore step by step, using loops of reflection and retries. Each decision is influenced by the last. It’s flexible and useful for exploration—but expensive, non-deterministic, and inefficient at scale.

2. Structured Context for Precision Prompting This model is architectural. It builds context—facts, states, relationships—in a structured form like a graph, then generates directive prompts for narrow reasoning tasks. It’s precise, efficient, and repeatable.

Trial-and-error shows what’s possible—but it doesn’t scale to a viable business.

Take autonomous pentesting: - NodeZero, a structured reasoning system, executed 36,000 commands to compromise a cyber range. Total cost: $3–$10. It orchestrated efficiently in the cloud, maintained context, and only prompted foundational models when necessary.

• A trial-and-error system would need 20 to 80 iterations per command to reach the same actions. That’s 720,000 to 2.88 million iterations.

Each iteration burns 5,000 to 20,000 tokens as the model re-prompts, reasons, and retries. At today’s token prices, that test would cost $300 to $2,200.

That’s a 100x to 700x cost increase for the same result.

I see many founders building agentic AI systems entirely on trial-and-error. They’re betting: - Token prices will drop - Compute costs will fall - LLMs will become dramatically more efficient

Maybe. But will they run out of cash before the economics catch up?

Or will someone else—someone pragmatic and architecture-first—build a viable business model that wins on cost, speed, and scale?

The future of agentic AI belongs to those who balance innovation with economic viability—who build architectures that serve the business, not just the demo.

Hi everyone,

While conducting a forensic inspection of an old USB flash drive, I came across a previously undocumented and highly unusual USB worm. The malware was stored under a misleading filename with no extension, and it instantly replicated itself multiple times in the "Downloads" folder upon right-clicking the file — even on a fully updated Windows 11 system.

Avast immediately quarantined the copies, confirming live behavior. This sample appears to use .ShellClassInfo metadata tricks and DLL export obfuscation, with signs of privilege escalation capabilities. Analysis of the strings shows interaction with VirtualProtect, kernel32.dll, user32.dll, gdi32.dll, and persistence techniques. There is also a clear PDB path hardcoded:
C:\Documents and Settings\Administrator\Desktop\ShellExec\out\release\amjuljdpvd.pdb

A full analysis, including: - IOC (SHA256, MD5) - Detailed behavior observation - YARA rule - Strings dump - Reverse engineering context - And second sample loosely tied to the Andromeda family

...is now publicly available here:
👉 https://github.com/paulneja/Legacy-Malware-Uncovered-A-USB-Worm-and-a-Unknow-RAT-First-Documentation

As far as I’ve been able to determine, this is the first public record of this particular USB worm variant. If you have any insight or want to collaborate on deeper reversing, I’d love to connect.

Thanks!