Log inSign up
Georgy Kucherin
Kaspersky
117 posts
user avatar
Georgy Kucherin
Kaspersky
@kucher1n
Researching malware @ Kaspersky GReAT
Joined April 2023
468
Following
4,648
Followers

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Terms·Privacy·Cookies·Accessibility·Ads Info·© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jul 10, 2025
    A few weeks ago, I was responding to a cybersecurity incident - $500,000 have been stolen from a #blockchain developer. The infected operating system was freshly installed, and the victim was vigilant about cybersecurity. How could this happen? New supply chain attack? [1/6]
    123K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Dec 27, 2023
    Today, I will be giving a talk on Operation Triangulation with @oct0xor and @bzvr_ at #37c3 in Hamburg. Come see our talk if you are interested in learning more about this attack!
    Image
    849K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jun 21, 2023
    Our next blogpost on #iOSTriangulation (securelist.com/triangledb-tri…) is finally out. Today we are ready to share details about the final payload used in the attack, which is a #spyware implant that we dubbed #TriangleDB @bzvr_ @2igosha [1/3]
    Image
    Dissecting TriangleDB, a Triangulation spyware implant
    From securelist.com
    117K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Apr 3, 2023
    Hey everyone, this is my first tweet! We identified a backdoor we dubbed #Gopuram, the final payload in the #3CX attack. The threat actor (likely to be Lazarus) has deployed it to cryptocurrency companies. More details in this thread and on Securelist (securelist.com/gopuram-backdo…)
    Image
    Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
    From securelist.com
    59K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jul 10, 2025
    Replying to @kucher1n
    Lesson learned - malicious open-source packages still remain a steady source of income for cybercriminals. Even cybersecurity-aware developers can fall victim to attacks like this one! [6/6] Find out more details about this attack here:
    Image
    The Solidity Language open-source package was used in a $500,000 crypto heist
    From securelist.com
    9.3K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jul 10, 2025
    Replying to @kucher1n
    After examining the developer's hard disk, I found out that the cause of the infection was an installed malicious extension for the Cursor AI IDE. It was supposed to highlight code written in Solidity, but in reality it acted as a malicious downloader. [2/6]
    Image
    12K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Feb 24, 2025
    Malware developers don't necessarily have to invent something innovative to earn lots of money. Check out how this actor managed to steal almost $485,000 with the help of a dozen GitHub accounts, AI, and a bit of luck:
    Image
    Fake GitHub projects distribute stealers in GitVenom campaign
    From securelist.com
    7.6K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jul 10, 2025
    Replying to @kucher1n
    But how could the infected developer, who was quite experienced, have downloaded this obviously malicious extension? It turns out that attackers have been able to make the malicious extension rank higher than the legitimate one. [3/6]
    Image
    12K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Sep 12, 2023
    Together with @bzvr_, we identified a likely supply chain attack involving a Linux software called Free Download Manager. Its malicious installer package was distributed during 2020-2022 - and it took more than 3 years to discover it. Read this🧵 to learn more about this attack!
    Image
    25K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jul 10, 2025
    Replying to @kucher1n
    Interestingly, after the malicious package was removed from the extension store, attackers republished it, inflating the number of its downloads to 2M. The descriptions of the two packages in the screenshot look so much alike, and it's very easy to download the wrong one! [5/6]
    Image
    11K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Oct 2, 2024
    If you are interested in learning more about a very sophisticated and rarely observed APT called The Mask (aka Careto), come to my talk with @Seifreed at @virusbtn! It’ll be super fun!
    8.5K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jul 10, 2025
    Replying to @kucher1n
    The implants downloaded by this malicious extension were quite cheap to manage - the ScreenConnect software, the open source Quasar backdoor, and an infostealer. With their help, attackers managed to get access to cryptocurrency wallets and transfer money from them. [4/6]
    8.3K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Oct 5, 2023
    Just presented a talk on virtual machine deobfuscation at #VB2023!
    Image
    4K
  • user avatar
    Georgy Kucherin
    Kaspersky
    @kucher1n
    Jun 1, 2023
    Recently, I've been researching #OperationTriangulation, a very sophisticated campaign targeting iPhones of my colleagues. They have been infected (through zero-click exploits) with APT malware. Here are some results of our research: securelist.com/operation-tria…. @bzvr_ @2igosha
    Image
    Operation Triangulation: iOS devices targeted with previously unknown malware
    From securelist.com
    5.2K