No good deed goes unpunished

I think I speak for just about the entire security industry when I say that I really value the work of the people who help out on security forums.
These people put in a lot of hard work and effectively it’s all voluntary.

Some of these people create tools to remove certain malware families/types, and these tools will be very popular within the communities that they belong too.

Recently the tools created by members of one community have proved so popular that someone decided to copy them. Most of these tools are scripts, which means that they can very easily be edited. Normally editing is done to update the scripts so that they can detect new malware. Sadly, in this case someone has basically copied the scripts and put his own name to them.

This copying and taking credit for other people’s work has been going on for quite a while now. Normally ignoring such people is the best course of action, so as not give them any (more) attention, but I think a line has been overstepped.

‘Pcbutts1’ is actively promoting ‘his’ anti-malware tools which remove a number of threats. This is what people see when they go to his very recently updated downloads page.


The people listed on this page are well respected within the security community and a number of them are actually Microsoft MVPs. It’s ‘pcbutts1’ who is the fraud, not them.

Let’s hope ‘pcbutts1’ grows up – and fast.

No good deed goes unpunished

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox