SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, December 2nd, 2025: Analyzing ToolShell from Packdets; Android Update; Long Game Malicious Browser Ext.
6 snips
Dec 2, 2025 Dive into the world of cyber security with an intriguing analysis of ToolShell payloads, exploring how to decode embedded PowerShell commands. Discover Google's December Android update, which fixes critical vulnerabilities already exploited. Uncover the shocking story of the ShadyPanda malware campaign, where innocent browser extensions turned malicious after years of being safe. The episode also highlights the shift to spyware behaviors and offers insights on defensive strategies amid uncertainties in attribution.
AI Snips
Chapters
Transcript
Episode notes
In-Memory ToolShell Analysis Works End-to-End
- ToolShell SharePoint payloads can be extracted from PCAPs and analyzed end-to-end to reveal embedded actions.
- James Whitworth demonstrates decoding serialized payloads and embedded PowerShell to determine attacker intent.
Extract And Decode Payloads Immediately
- Extract required PCAPs from Seq and pull payloads to inspect deserialization artifacts proactively.
- Decode embedded PowerShell commands to reveal what the payload actually executes in-memory.
ToolShell Uses Multiple Staging Techniques
- Some ToolShell variants deliver benign tooling like a nuclei template before executing additional stages.
- Other variants embed encoded PowerShell directly, showing multiple attack strategies for the same vulnerability.