r/threatintel

I've been doing reverse engineering and malware analysis for sometime now, and I noticed something frustrating: every detection tool flags isolated signals separately. One tool screams "entropy is high!" Another yells "found injection APIs!" A third matches a YARA rule. But nobody tells you if these signals actually mean your binary is malicious or just legitimate software doing normal things.

So I built Binary Atlas—a static PE analysis engine that runs 14 detectors but scores confidence instead of just screaming alerts.

Why This Matters:

Most tools have insane false positive rates on legitimate Windows utilities

Single signals (high entropy, API imports, YARA matches) are meaningless in isolation

Correlation > Isolation

How It Works (5 Steps):

Check if Windows trusts it (valid Authenticode signature) → LOW risk

Parse PE headers, sections, imports, strings, hashes

Run 14 detectors (packing, anti-analysis, persistence, shellcode, etc.)

Unified classifier deduplicates findings and weights signals

Score confidence (HIGH/MEDIUM/LOW) + generate detailed reports

What Makes It Different:

Instead of: "Found CreateRemoteThread—FLAGGED!"

Binary Atlas does:

CreateRemoteThread detected ✓ (confidence: MEDIUM—debuggers use this)

WriteProcessMemory detected ✓ (confidence: MEDIUM—could be legitimate)

Registry persistence APIs detected ✓ (confidence: MEDIUM)

Anti-debug checks in strings ✓ (confidence: MEDIUM)

Unified result: "All 4 signals pointing toward injection + persistence = HIGH confidence malware"

The 14 Detectors:

Packing analysis | Anti-analysis detection | Persistence mechanisms | DLL/COM hijacking | Shellcode patterns | Import anomalies | Resource analysis | Mutex signatures | Overlay detection | String entropy | YARA scanning | Compiler identification | Threat classification | Security headers

Static analysis only ( To be honest sandboxin the file confirms everything)

High false positives on some legitimate software

Looking for feedback on:

How to reduce false positives further?

Which detection modules would be most useful?

Any malware researchers want to contribute better YARA rules?

Checkout Github: https://github.com/bilal0x0002-sketch/Binary-Atlas/

https://www.lelibrepenseur.org/samuel-hassine-patron-de-filigran-ecarte-du-voyage-de-macron-pour-pedopornographie/

New elite pedophilia scandal: a brutal fall. Samuel Hassine , founder and CEO of Filigran , a leading French cybersecurity company, was urgently removed from the delegation accompanying Macron to Asia. Aged 39, he is suspected of having purchased child pornography images and videos on the Darknet using cryptocurrencies.

Filigran, founded in 2022, develops cyber threat intelligence and attack simulation tools. The company is used by over 6,000 organizations worldwide, including the FBI , the European Commission, and several US agencies. Hassine, a former ANSSI employee, had raised tens of millions of euros and positioned his startup as a flagship of the French Tech scene.

According to reports, he is among the twenty buyers identified in France in a vast European investigation into a clandestine Darknet platform. Investigators have arrested several suspects for possessing and acquiring particularly serious child pornography. The Élysée Palace reacted swiftly by excluding him from the presidential trip to Japan and South Korea.

This scandal has once again tarnished the reputations of the French Tech scene and those in power. A rising figure in cybersecurity, with close ties to government institutions, finds himself at the heart of a sordid criminal case. The investigation is ongoing. 

additional Links
https://www.leparisien.fr/faits-divers/pedopornographie-un-patron-de-la-french-tech-prevu-dans-la-delegation-demmanuel-macron-en-asie-mis-en-cause-apres-un-vaste-coup-de-filet-03-04-2026-CULCDDQMQNFB5NQQ4WXV2UHEPQ.php (pay walled)
https://x.com/BastionMediaFR/status/2040111909546938799
https://www.instagram.com/p/DWth0BhiGhS/
https://geopolintel.fr/article4521.html

Hey everyone!

I’ve been building out a distributed honeypot network to track exploitation trends, and the data coming in has been pretty awesome. Over the past two weeks alone, the sensors have logged 3 million records, and this is climbing as sensors are being added!

The goal is to turn this into a collaborative intelligence hub. We’ve already had a few early users successfully track an ADB Mirai botnet before it hit the THN headlines, and we are currently seeing active exploitation attempts for several fresh router-based CVEs that haven’t been widely documented yet.

How it works: I’m opening up the platform for others to explore the data. To keep the network growing and the intel high-quality, it’s a "give-to-get" model:

• Contribute: Host a sensor/node to feed the network.
• Access: Once you’re contributing, you get full access to the entire global dataset to run your own queries and research.

If you’re interested in threat intelligence, malware behavior, or just want to see what’s hitting the sensors in real-time, come help us map the data.

Check it out here: boarnet.io

I’m still working through a lot of the data, so I’d love to see what findings you all dig up. Happy to answer any questions about the stack or the sensor deployment in the comments!

Hi r/threatintel,

I recently received mod approval to share a project I’ve been building called DysruptionHub: https://dysruptionhub.com/

DysruptionHub is a cyber incident tracking and reporting site focused on the United States and its territories. The site has been active since 2024 and focuses on publicly reported cyberattacks and technology disruptions where there may be public-interest, operational or community impact.

The site tracks incidents across six broad categories and displays them on a public incident map: https://dysruptionhub.com/us-map/

• Critical infrastructure
• Healthcare
• Public services
• Government
• Education
• Private sector

DysruptionHub is not a ransomware claim tracking site, and it is not just a scraped incident feed. The site has an inclusion taxonomy for what gets tracked: https://dysruptionhub.com/taxonomy/

The bottom line is that there must be strong signals of a cybersecurity incident and some impact to operations or services. That can include confirmed cyberattacks, suspected cyber-related outages, public-service disruptions, ransomware events, vendor incidents affecting downstream organizations, or other incidents where available public evidence supports tracking.

One of the goals of the project is to connect operational outages to cyber incidents that might otherwise go unreported or underreported. Local governments, schools, utilities, health care providers and other public-facing organizations often disclose “network issues,” “technical difficulties” or service outages without clearly saying whether a cyber incident is involved. DysruptionHub tries to document those cases carefully, connect public evidence where it exists, and improve transparency without overstating what is known.

DysruptionHub combines OSINT collection with human-written investigative reporting. The site uses public notices, local reporting, government updates, social media posts, breach notices, agenda packets, internal documents when available, and direct outreach to document U.S. cyber incidents and suspected cyber-related disruptions.

As an example of the kind of original reporting DysruptionHub does, our most recent original story looked at network issues and a production halt at Foxconn’s Wisconsin operation: https://dysruptionhub.com/foxconn-wisconsin-cyber-outage/

The focus is on operational impact, including what services were disrupted, who was affected, how long recovery took, and what public sources support those conclusions. Articles are human-written and source-reviewed, with an emphasis on attribution and clearly separating confirmed facts from unresolved indicators.

We’re especially interested in incidents that may not receive national attention but still affect services people rely on, such as utility billing, court records, public transit scheduling, library networks, school systems, health care operations, local government services or public safety-adjacent communications.

The core reporting is not paywalled. Articles are free to read, the site is ad-free, and there is also a free weekly summary email of tracked incidents.

For anyone who wants to support the project, optional paid support is available. One tier adds instant alerts, and a higher tier adds additional features, including a watchlist for outages or disruptions that do not yet have confirmed cyber signals. I’m mentioning that for transparency, but the main purpose of this post is to introduce the tracker.

Thanks to the mods for allowing me to share it here. I hope DysruptionHub is useful to others doing threat intelligence, incident tracking, OSINT, or public-sector situational awareness.

Key Details:

• Researchers used valid credentials blocked by Conditional Access policies to initiate the attack
• Exploited the Device Registration Service (DRS) endpoint using device code authentication flow
• Created a "phantom device" registered with a signed Azure AD certificate and private key
• Registered the device as a Windows machine despite it being Linux, leveraging MITRE ATT&CK technique T1098.005 (Account Manipulation)
• Obtained a Primary Refresh Token (PRT) with false device claims that bypassed CA device compliance requirements
• Successfully accessed production tenant containing over 16,000 users without malware or endpoint interaction
• Bypassed Intune compliance requirements by claiming hybrid domain-join status