SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, August 28th, 2025: Launching Shellcode; NX Compromise; Volt Typhoon Report
Aug 28, 2025
Discover an intriguing malware technique that uses PowerShell to launch shellcode, evading security protocols. Learn about the NX build package compromise that leveraged AI to pilfer credentials. The discussion also highlights a global report on the 'Volt Typhoon' cyber threat, revealing the extensive impact of state-sponsored espionage. Stay informed about these critical cyber risks and how they may affect systems worldwide.
AI Snips
Chapters
Transcript
Episode notes
Monitor Uncommon API Execution
- Monitor for uncommon API usage patterns like unexpected calls to CallWindowProcA and in-memory payload execution.
- Use behavior-based EDR rules that flag execute-from-data patterns rather than only allocation/syscall signatures.
Shellcode Via CallWindowProcA
- Attackers can execute shellcode by passing a memory pointer into CallWindowProcA instead of creating a new thread or marking memory executable.
- This technique can evade EDRs that look for the common allocate-copy-execute pattern.
Remediate After Tool Compromise
- Update to the fixed NX release and search GitHub for unexpected repositories or secret postings tied to your account.
- Rotate any keys and credentials that may have touched developer machines used during the compromise window.