Labs Live
Ever felt totally stuck with a lab? Getting frustrated? Maybe you could have used the helpful guidance of an expert? Introducing Labs Live, a groundbreaking community webinar series from Immersive! For the first time, we're bringing you live, interactive lab sessions led by seasoned professionals. In each Labs Live webinar, you'll collaborate directly with an expert as they navigate a challenging lab. They'll share their techniques, answer your questions, and together, you might even discover new insights. This isn't just a demonstration; it's a hands-on learning experience.Don't miss out on this unique opportunity to elevate your cyber skills. Our very first Labs Live session will be hosted by KevBreen Senior Director of Cyber Threat Research, as he tackles the latest Cyber Threat Intelligence Lab. Join him on April 25th to solve it together!New CTI Lab: CVE-2025-35433 (Erlang SSH): Offensive
On April 16, 2025, a critical vulnerability, identified as CVE-2025-32433, was disclosed in the Erlang/OTP SSH server. This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by sending specially crafted SSH messages before authentication. After these messages have been sent, attackers have code execution on the victim machine. This lab will walk you through the mechanics of this vulnerability, helping you understand its implications and learn how an attacker could exploit it. Why is this lab important? Given Erlang's widespread use in telecommunications, IoT, and distributed systems, this vulnerability poses a significant risk to victims in multiple sectors and industries. Customers using Erlang should assess its vulnerability status and patch as soon as practicable. Who is this lab for? This lab is an offensive CTI lab, so it primarily benefits penetration testers and red teamers. That said, it's still incredibly valuable for defensive personas as well, so they can see how the attack could work. These personas include: SOC Analysts Incident Responders Threat Hunters Here is the link to the lab: https://iml.immersivelabs.online/v2/labs/cve-2025-35433-erlang-ssh-offensiveOperational CTI: Lessons from the Attacks That Didn’t Target You
Watch the recording from this event here ⬇️ Many organizations overlook vulnerabilities and attack campaigns that don’t directly impact them. While this makes sense for risk prioritization, studying these threats can reveal valuable insights that improve your defensive posture and technical skills. In this webinar, we’ll take you through a technical analysis of a recent malicious campaign and explore how analyzing adversary techniques — even those that haven’t targeted your organization — can uncover hidden gaps in your security strategy and enhance your ability to detect and mitigate future threats. Key Takeaways Threat Awareness Beyond Your Scope – Understanding attack campaigns that don’t directly affect your organization can still provide critical insights into evolving threat landscapes. Improving Defensive Posture – Learning from other attacks helps identify weaknesses in your own security strategy before they become exploited. Expanding Technical Knowledge – Deep-diving into attack techniques and vulnerabilities sharpens your ability to detect and mitigate sophisticated threats. Proactive Security Mindset – Adopting a proactive rather than reactive approach can help organizations stay ahead of adversaries, even if they’re not immediate targets. Applying Lessons Practically – Insights from external threats can shape better incident response plans, detection rules, and security skills.Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.New CTI Labs: CVE-2025-31161 (CrushFTP): Defensive and CVE-2025-31161 (CrushFTP): Offensive
On the 7th April 2025, a vulnerability in the CrushFTP was added to the CISA Kev Catalogue, CrushFTP is an enterprise FTP solution with tens of thousands of instances publicly accessible online. Recent reporting has confirmed that since a proof-of-concept dropped, there has been an uptick in this vulnerability being exploited in the wild. Successful exploitation of this critical vulnerability allows attackers to achieve code execution, file upload, and download, as well as create backdoor accounts. Why should our customers care? As a critical vulnerability with a CVSS base score of 9.8, with no user interaction required, this vulnerability represents a significant impact to customers using CrushFTP or other, similar file transfer solutions. The addition of vulnerabilities to the CISA KEV catalog shows how serious it is and how important it is to patch against the vulnerability, given that the attacker could upload files, achieve persistently, and backdoors onto the server. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Penetration Testers System Administrators Here are the links to the labs: CVE-2025-31161 (CrushFTP): Offensive CVE-2025-31161 (CrushFTP): Defensive In addition, we've released a proof-of-concept script to demonstrate how an attacker could exploit this vulnerability: https://github.com/Immersive-Labs-Sec/CVE-2025-31161New CTI Labs: Water Gamayun: (CVE-2025-26633) Campaign Analysis
Water Gamayun, also known as EncryptHub and Larva-208, is a threat actor (suspected to be of Russian origin) that has been observed exploiting a zero-day vulnerability in the Microsoft Management Console (MMC). This vulnerability has been dubbed MSC EvilTwin and assigned CVE-2025-26633. This lab takes you through the campaign, explaining how the vulnerability works to allow the attacker to silently execute malicious code, and what actions on objective the threat actor performs. Why should our customers care? EncryptHub has been reported to have breached over 618 organizations to deploy StealC, SilentPrism, and ransomware for the purposes of maintaining persistence, stealing data, and causing severe operational disruption; therefore, our customers should be mindful of this threat actor and their tactics. Their use of a zero day vulnerability shows how standard Windows configurations can be abused by threat actors to silently transport this malware into a victims environment to allow attackers to fulfil their operational objectives. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the campaign analysis lab: https://immersivelabs.online/labs/water-gamayun-campaign-analysisReverse Engineering SmokeLoader: An In-Depth Analysis (Part 3)
The previous blog entry covered how SmokeLoader uses various obfuscation techniques to slow reverse engineers down. We also identified yet another shellcode being allocated to a memory region, which we then dumped and analysed. In this blog entry, we’ll try to identify some of the key API functions the malware employs through dynamic API resolution to allocate memory, store shellcode, and deceive analysts. This third stage uses techniques similar to those used before – dynamic API resolution – but this time, the APIs are declared on the stack as their names and don’t go through API hashing. A number of APIs are executed with GetProcAddress for the malware to dynamically resolve functionality. These APIs are: LoadLibraryA(“Kerne32.dll”) GetProcAddress(“VirtualAlloc”) GetProcAddress(“VirtualProtect”) GetProcAddress(“VirtualFree”) GetProcAddress(“GetVersionExA”) GetProcAddress(“TerminateProcess”) GetProcAddress(“ExitProcess”) GetProcAddress(“SetErrorMode”) Then we came up against an issue. The malware only wants to run on a specific version of Windows – we think it was made for Server versions. The Windows API, GetVersionExW, has its return values compared to a very specific version. So when we run this program, it causes an exception as we weren't on the correct Windows version. To get around this for now, we had to set the ZF flag in x32dbg to jump over the code that caused the exception. This is necessary, or the memory address in EAX will cause an exception two lines later. Taking another look at the function, we found another jmp eax! We then performed the same process of setting a breakpoint, executing until that point, and then dumping the memory. Conclusion The third part of our SmokeLoader analysis explored dynamic API resolution, and we found another layer of shellcode in memory to dump. By this point, it was clear that SmokeLoader had multiple layers of shellcode inside it, with layers of obfuscation to slow down reverse engineers. During our analysis, we came across a number of these issues relating to control flow obfuscation. Trying to jump to certain instructions to identify shellcode gave us the EXCEPTION_ACCESS_VOILATION error. The final blog post of this series will discuss this exception more closely, describe how to defeat it and look at some indicators of compromise you can identify in the later stages of reverse engineering.New CTI Labs: Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis & Threat Actors: Salt Typhoon
Salt Typhoon has been a threat actor that has caused a lot of worry for defensive teams all over the world. They are a threat actor group which has been predominately targeting Telecommunication companies. They have been in the media a lot over the past few months for their hacks on telecommunication companies in the US.Immersive were finally able to get access to some of the malware samples, as more get released we shall cover more of the campaigns. Threat Actors: Salt Typhoon This lab takes the user through who Salt Typhoon are, what their techniques, tactics, and procedures are, and who they target. Discussing their previous campaigns in depth and why they are so feared as a group. Salt Typhoon: SNAPPYBEE Campaign Analysis Many of our customers want to learn how salt typhoons operate. This lab shows people how to start hunting for them inside a network, taking our users through the different stages, techniques, and tactics they use and how to identify them for detection. Why should our customers care? Salt Typhoon are a big threat to telecommunication companies around the world. Their main focus is to be in a network and perform cyber espionage without being detected. They largely operate inside networks without being detected for a long time, sometimes even months to a year. Our customers need to proactively understand what this threat is and how to start monitoring for them in their network. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the threat actor lab: https://immersivelabs.online/labs/threat-actors-salt-typhoon Here is the link to the campaign analysis lab: https://immersivelabs.online/v2/labs/salt-typhoon-campaign-analysisReverse Engineering SmokeLoader: An In-Depth Analysis (Stage 2)
This is the second part of a series of blog posts analyzing the SmokeLoader malware. It goes into detail on how we reverse-engineered it to identify its objectives and actions. The first part of this blog series looked at the malware’s contextual information and some of our initial analysis considerations. In this second part, we’ll continue where we left off by going deeper into the debugging and decompiling process to identify more shellcode and obfuscation techniques. As a reminder, we left off the previous post by identifying the first shellcode in memory, which was located at memory address 0x008A300. EAX pointed to this memory address, where deobfuscated instructions were provided. The execution was now at this location, meaning we had to dump the memory and load it into Ghidra for some static analysis. We dumped the whole heap allocation from here instead of starting at 0x2310. When we started analyzing it in Ghidra, we had to start at location 0x2310. The first thing that occurred was a CALL instruction. The second stage of this malware runs similarly to the first stage but employs some API hashing to obfuscate the API function calls that the malware makes. The malware ultimately allocates memory on the heap, places obfuscated data there, deobfuscates it, and then calls it. The starting function of the shellcode resembles a similar structure to the main() of the parent stage malware. We’ve changed some of the names of the functions and variables to help you understand these screenshots. The first function did the API hashing and called a nested function for the process of LoadLibraryA and GetProcAddress. Inside the function called FUN_00002448, you are presented with the following: The image above shows a function that performs the LoadLibraryA and GetProcAddress processes commonly used by malware. This is done for the following APIs: LoadLibraryA(“Kerne32.dll”) GetProcAddress(“GlobalAlloc”) GetProcAddress(“Sleep”) GetProcAddress(“VirtualAlloc”) GetProcAddress(“CreateTool32Snapshot”) GetProcAddress(“Module32First”) GetProcAddress(“CloseHandle”) These APIs indicate some of the malware’s behavior. But the most important here is VirtualAlloc. The size of the allocated location on the heap is important to note for later dumping of the third-stage shellcode. The second important function is the allocation on the heap and the deobfuscation. In the debugger, we set a breakpoint at the line (*local_8)(), which is the location of the return value from VirtualAlloc. This process is the same as the previous stage; we simply had to dump the memory from that location then load it into Ghidra for the next stage! This image shows the jump to the new shellcode location 0x02420000! Conclusion The second part of our SmokeLoader analysis identified another location in memory where shellcode is being allocated and stored. We also identified some obfuscation and XOR decryption being used throughout. Stay tuned for the next blog entry, where we’ll delve even deeper into this sample to identify some of the key API functions the malware employs to allocate memory, store shellcode, and deceive analysts.Reverse Engineering SmokeLoader: An In-Depth Analysis (Stage 1)
At our recent event, Operational CTI: Lessons from the Attacks that Didn't Target You, we shared that we would releasing reverse engineering blogs on SmokeLoader. Here is part 1! SmokeLoader is a malware strain that’s been seen in the wild since at least 2014. It’s a backdoor that can be expanded by adding modules. This versatility makes the malware a bit harder to signature, but it's common practice among malware like this. One notable aspect of SmokeLoader is its attempt to hide its C2 activity by generating requests from legitimate sites as well as domains that the attackers control. Understanding the modules used as add-ons to each build can provide insight around the malware strain and the attack’s objectives. This first blog entry covers the more contextual information around SmokeLoader, including the campaign associated with it. We’ll also cover how we set up our analysis environment, and the considerations we had when analysing the preliminary stages. The campaign The 7Zip campaign saw the exploitation of the CVE-2025-0411 vulnerability. Exploiting this vuln increased an attacker’s chances of successfully infiltrating a company’s workstations by bypassing the Mark of The Web (MoTW) security controls. (We created a lab on the 7Zip campaign. Check it out here.) Once bypassed, the SmokeLoader executable stopped Windows SmartScreen from opening a warning window to the user. This blog picks up where our webinar left off. We’ll cover the SmokeLoader executable and analyze it to show you how it executes itself – there are many layers! The malware we’ll analyze in this blog is the last stage in the Trend Micro report. You can also have a read of VirusTotal’s report here. Let’s get to it! This malware gets downloaded as part of the attack chain with the extension .pdf.exe. In some workstations, file extensions aren’t visible, so in this case, the malicious file looks like it ends with “.pdf”. This is a social engineering tactic that tricks the workstation user into double-clicking the malware, thinking it will open a PDF instead of actual malware. According to VirusTotal, SmokeLoader is a 32-bit executable written using Microsoft Visual Studio and is 249.50 KB in size. This is really useful information you can use to start understanding what sort of instructions and patterns can be added to the binary from the Visual Studio compiler. Analysis setup Don’t forget! As with any malware, it’s important to place it in a sandboxed environment when you analyze it. You don’t know what it’s going to do yet! When doing deep analysis, you’ll need to use a debugger and a disassembler or decompiler. Here, we’re using x32dbg and Ghidra – both incredibly powerful tools. We took the following steps when analyzing the malware: We looked at the decompiler to see what code was coming up and made a hypothesis of what the code was doing. We opened the malware in a debugger and executed the code we analyzed in Step 1, going no further than what we already knew. We replaced any variable names or information in the decompiler to provide further context to the code. We repeated Steps 1–3 until the malware acted on its objectives. Reverse engineering This malware deliberately has many stages to slow down reverse engineers’ analysis. It goes through multiple stages of shellcode extraction and execution, multiple dynamic API resolutions, memory page protection changes, and process injection. The first thing we did was find main(), where the malware author's code is written. Ghidra is really helpful for this! We found the entry point, followed __tmainCRTStartup, double-clicked it, and found the code pattern ___tmainCRTStartup ();. This will help when we start looking for main() in the debugger. We now knew that the main function was the one with 0x7c80 as the last four hex digits of the address. We used this information to set a nice breakpoint on main() in the debugger. This can be confusing when starting out on your reverse engineering journey, so check out our lab on finding main() here.Once we had a breakpoint set at main() in the debugger, we started investigating what happened from there in Ghidra. Two function calls happened: one is a longer function, and the other is a few instructions followed by jmp EAX. Given that EAX has a memory address populated by the data address DAT_00512C44, which is initialized elsewhere in the program, we guessed that there’s some deobfuscation of instructions somewhere, and the jump instruction takes the code to that location. We could have set a breakpoint at jmp EAX in the debugger and executed the code until then. However, some malicious activity might have occurred before the jmp call in the previous function, so it was worth investigating. The first function, shown below, had many do-while loops, meaning that the code will execute the loop at least once. However, we inspected the code inside the loops and found there wasn’t much going on. There was a check at a certain data address, DAT_00512DFC, and actions were taken based on that – though exactly what actions were taken is unclear, given that it doesn’t execute. When checking, we reviewed the memory location of DAT_00512DFC in the debugger and found that it didn’t hold anything meaningful to make those checks occur. This shows that this code is likely kept in the malware, regardless of whether it’s used or not, and will only execute if a certain type of build is created. Another thing to note is that the Windows APIs that get called didn’t really do much anyway, and currently didn’t indicate much malicious activity. Some of the strings in this function might have seemed useful, but if the code doesn’t execute instructions associated with them or doesn’t directly manipulate them, they’re useless to our investigation. So we skipped over the loops in the debugger by finding the instructions after the loop, setting a breakpoint, and running the program until it hits that breakpoint. The third lab in the Foundational Binary Dynamic Analysis collection covers this technique in more detail. Scrolling down, you can see a function that’s outside the if statements and do-while loops: This is FUN_00417440(void). Inside this function is a call to LocalAlloc where the size is stored in DAT_00512dfc and the memory address location is stored in DAT_00512c44. Keen-eyed investigators will notice DAT_00512C44 is the memory location of the jmp EAX in the second function called from main(). This proves that our hypothesis from the beginning was correct: This function sets up a memory location with instructions that get executed later. It’s important to keep track of the value stored in DAT_00512DFC from the debugger because it’ll determine the size of the memory dump we’ll be making later for the shellcode! Finally, when looking at the bottom of the large function, we found a number of function calls: LoadLibraryA was followed by two function calls. This is interesting because the majority of the time, LoadLibraryA in malware is followed by GetProcAddress (which happens to be what’s inside FUN_00417470). Weirdly, though, the return from LoadLibraryA("msimg32.dll") wasn’t used. GetProcAddress in the next function was simply called statically instead of dynamically, finding it with LoadLibraryA. In this function, VirtualProtect was called to change the heap memory to executable! This technique, and how to analyze it, is covered in detail in the fifth lab in the Foundational Dynamic Analysis collection. The function after that holds a lot of XOR and array manipulation, so we assumed this is deobfuscation. The location being written confirmed this, starting at the location of our heap, which was just changed to executable. This technique is also covered in the third lab of the Foundational Dynamic Analysis collection. The final function in the block simply added 0x2310 onto the heap starting address: ` if (iVar4== 0xd606b) FUN_00417460();` So, we learned that everything in the function has been pointless! Attackers do this deliberately to slow down reverse engineers. And it works, but it’s still crucial to take these steps so we can confirm it’s pointless, not just assume that it is. Finally, we set a breakpoint in the debugger at the jmp EAX instruction, ran the program, then dumped the memory. Conclusion This first blog post covered the SmokeLoader malware’s campaign details and some initial analysis considerations, including how to identify and dump the first layer of shellcode. This is just the beginning! Stay tuned for more SmokeLoader analysis, including a look at what anti-analysis and obfuscation techniques are employed.
