I just built APTsearch a red-team–oriented search engine for APT groups & MITRE ATT&CK TTPs kinda MITRE ATT&CK lite lool :)
thanks to antigravity ofc 😅
MITRE is powerful… but let’s be real, it’s also confusing
APTsearch flips it into attacker logic.
🔍 Search APT groups
🧠 Explore their real-world TTPs
🤖 AI-assisted explanations (why attackers use a technique, how it fits the kill chain)
🧱 No backend static, hosted, clean
🔄 Data auto-refreshed every month
i will add kinda IOC soon like detection and mitigation thingy
so i built this as a red team / blue team / learning tool and as a portfolio-grade project
Would love feedback from yall
website :> APTsearch
@AfroSec
thanks to antigravity ofc 😅
MITRE is powerful… but let’s be real, it’s also confusing
APTsearch flips it into attacker logic.
🔍 Search APT groups
🧠 Explore their real-world TTPs
🤖 AI-assisted explanations (why attackers use a technique, how it fits the kill chain)
🧱 No backend static, hosted, clean
🔄 Data auto-refreshed every month
i will add kinda IOC soon like detection and mitigation thingy
so i built this as a red team / blue team / learning tool and as a portfolio-grade project
Would love feedback from yall
website :> APTsearch
@AfroSec
⚡15🔥3🎉2❤1
#redteam_yap
Have you heard about MOTW (Mark of the Web)?
aight let’s cook
MOTW is basically a trust badge Windows slaps on files that come from the internet.
Think of it as Windows saying:
> “yoo hold up bro, you’re a guest here ”
What’s really happening?
* MOTW is implemented using NTFS Alternate Data Streams (ADS)
* When a file is downloaded from the internet, Windows attaches metadata like:
- ZoneId
- Source URL
- Referrer info
- Most common case: ZoneId = 3 (Internet Zone)
there are 5 zones
ZoneId, Meaning
0 Local computer
1 Local intranet
2 Trusted sites
3 Internet (most common for downloads)
4 Restricted sites
Once that tag exists, Windows components start acting paranoid:
- 🛑 Microsoft SmartScreen
- 🛑 Microsoft Office (Protected View)
- 🛑 Other security-aware apps
Result?
Pop-ups like:
> “Are you _sure_ you want to open this file?”
> “This file came from an untrusted source.”
From an attacker’s perspective… yeah, that’s annoying 😏
😈 Attacker mindset: Okay, how do we blend in?
Since MOTW depends on ADS, the game becomes:
> Deliver the payload without inheriting ADS
Especially useful for multi-stage payloads, loaders, or initial access files.
and yup there are well-known, still-used ways to do this :)
This is gold for lateral movement and internal phishing 🎯
Real Threat Actors Using These Techniques
Groups known to abuse MOTW bypass paths:
- TA505
- APT38
- APT29
@AfroSec
Have you heard about MOTW (Mark of the Web)?
aight let’s cook
MOTW is basically a trust badge Windows slaps on files that come from the internet.
Think of it as Windows saying:
> “yoo hold up bro, you’re a guest here ”
What’s really happening?
* MOTW is implemented using NTFS Alternate Data Streams (ADS)
* When a file is downloaded from the internet, Windows attaches metadata like:
- ZoneId
- Source URL
- Referrer info
- Most common case: ZoneId = 3 (Internet Zone)
there are 5 zones
ZoneId, Meaning
0 Local computer
1 Local intranet
2 Trusted sites
3 Internet (most common for downloads)
4 Restricted sites
Once that tag exists, Windows components start acting paranoid:
- 🛑 Microsoft SmartScreen
- 🛑 Microsoft Office (Protected View)
- 🛑 Other security-aware apps
Result?
Pop-ups like:
> “Are you _sure_ you want to open this file?”
> “This file came from an untrusted source.”
From an attacker’s perspective… yeah, that’s annoying 😏
😈 Attacker mindset: Okay, how do we blend in?
Since MOTW depends on ADS, the game becomes:
> Deliver the payload without inheriting ADS
Especially useful for multi-stage payloads, loaders, or initial access files.
and yup there are well-known, still-used ways to do this :)
1. MOTW Evasion Techniques (Still Wildly Relevant) Container / Disk Image Formats
Examples:
- .iso
- .vhd
- .vhdx
- .img
Why this works:
- When mounted via Windows Explorer, files inside the virtual disk do NOT inherit MOTW
- Payload comes out looking “local” 👌
> Still abused heavily in real-world campaigns btw.
2. Physical Transfer / Internal Copy
- USB devices
- Copying from another internal machine
No browser → no ADS → no MOTW
Old-school, but effective.
3. Internal Email Attachments
- Payload archived (ZIP/RAR)
- Password-protected archive
- Sent from a compromised internal mailbox
> Even in modern Microsoft 365 environments (as of 2026):
> Internal emails do NOT apply MOTW by default
> Unless orgs explicitly enforce custom policies
This is gold for lateral movement and internal phishing 🎯
Real Threat Actors Using These Techniques
Groups known to abuse MOTW bypass paths:
- TA505
- APT38
- APT29
@AfroSec
✍3🔥2⚡1
Forwarded from Tech Nerd (Tech Nerd)
“Comparison is the thief of joy” is advice for people already in motion … not for those who haven’t started
@selfmadecoder
@selfmadecoder
🔥12❤2⚡1
whaaaat an actual fuck is this man 😢🤯🤯 like those ai chatbot and agent companies should really test their agents especially their RAG pipeline
i was just chatting wiz one chatbot and suddenly i got an idea to test it and when i does boom this happened, it reveals its code base with snippets lol :)
sorry for the image quality btw
@AfroSec
i was just chatting wiz one chatbot and suddenly i got an idea to test it and when i does boom this happened, it reveals its code base with snippets lol :)
sorry for the image quality btw
@AfroSec
🤯6👏2👀1
Forwarded from Sirack's Universe
Anthropic's Claude Code Security Wipes Billions Off Cybersecurity Stocks in a Single Afternoon | Awesome Agents
https://awesomeagents.ai/news/claude-code-security-cybersecurity-stocks-crash/
https://awesomeagents.ai/news/claude-code-security-cybersecurity-stocks-crash/
Awesome Agents
Anthropic's Claude Code Security Wipes Billions Off Cybersecurity Stocks in a Single Afternoon
Anthropic announced Claude Code Security, an AI tool that found 500+ vulnerabilities missed for decades in open-source code. Within hours, JFrog lost 25%, CrowdStrike dropped 8%, and the cybersecurity ETF hit its lowest since November 2023.
👀3😭1
Forwarded from Florida🛸
Machine Learning Augmented Attacks
Recent threat reporting shows malicious actors are actively using AI as a force multiplier for offensive operations.
The interesting part isn’t that AI can generate code(i mean we already knew that)
The real shift is:
-Polymorphic Malware: rapid generation of variants to evade signature-based detection.
-Linguistic Smoothing: low skill actors are now bypassing "broken English" red flags in phishing.
-Condensed Attack Cycles: Reconnaissance and profiling that took days now take minutes.
🔴For Security & Red Teams
Focus less on what is generated,and more on how fast and how often:-
1.Content Velocity: abnormal speeds in phishing deployment.
2. LLM Wrappers: malicious use of open-source models in botnets.
3. Linguistic Patterns: Fluency ≠ legitimacy
4.Adaptive Payload Mutation: watch for rapid iteration patterns rather than static signatures.
AI is now part of both the exploit chain and the defense stack,the advantage won’t belong to whoever “uses AI”,it will belong to whoever understands how it changes execution speed.
Recent threat reporting shows malicious actors are actively using AI as a force multiplier for offensive operations.
The interesting part isn’t that AI can generate code(i mean we already knew that)
The real shift is:
-Polymorphic Malware: rapid generation of variants to evade signature-based detection.
-Linguistic Smoothing: low skill actors are now bypassing "broken English" red flags in phishing.
-Condensed Attack Cycles: Reconnaissance and profiling that took days now take minutes.
🔴For Security & Red Teams
Focus less on what is generated,and more on how fast and how often:-
1.Content Velocity: abnormal speeds in phishing deployment.
2. LLM Wrappers: malicious use of open-source models in botnets.
3. Linguistic Patterns: Fluency ≠ legitimacy
4.Adaptive Payload Mutation: watch for rapid iteration patterns rather than static signatures.
AI is now part of both the exploit chain and the defense stack,the advantage won’t belong to whoever “uses AI”,it will belong to whoever understands how it changes execution speed.
🔥3👌2