AlistoIR AlistoIR
AlistoIR Blog

Security insights, response tips, platform updates.

Explore articles and tutorials on AlistoIR, focusing on cybersecurity, detection engineering, incident response, and security operations.

Detecting SEO-Poisoned Fake Utility Malware with Wazuh
Featured article 1 min read

Detecting SEO-Poisoned Fake Utility Malware with Wazuh

June 10, 2026 | By Oliver Roca
SEO poisoning is a common malware delivery technique in which attackers exploit search engine results to trick users into downloading fake software installers. In this campaign, threat actors impersonated legitimate utility tools and used malicious installers to deploy ScreenConnect, establish remote access, create persistence, modify Microsoft Defender exclusions, and potentially deploy GPU mining tools. This blog demonstrates how Wazuh can detect behaviors associated with this attack on Windows endpoints using Sysmon process creation logs. The detection focuses on endpoint activity such as suspicious RuntimeHost.exe execution, scheduled task creation, silent msiexec.exe installation of a masqueraded DLL, Microsoft Defender exclusion changes, and suspicious ScreenConnect execution. Instead of relying solely on indicators of compromise such as domains, IP addresses, and file hashes, this detection approach uses behavior-based rules to provide stronger, longer-term coverage. The blog also includes safe attack emulation steps, expected Wazuh alerts, cleanup commands, and tuning recommendations for production environments where ScreenConnect may be legitimately used.
Read article

Latest Articles

Browse recent articles from the AlistoIR team.

Featured June 10, 2026 | By Oliver Roca 1 min read

Detecting SEO-Poisoned Fake Utility Malware with Wazuh

SEO poisoning is a common malware delivery technique in which attackers exploit search engine results to trick users into downloading fake software installers. In this campaign, threat actors impersonated legitimate utility tools and used malicious installers to deploy ScreenConnect, establish remote access, create persistence, modify Microsoft Defender exclusions, and potentially deploy GPU mining tools. This blog demonstrates how Wazuh can detect behaviors associated with this attack on Windows endpoints using Sysmon process creation logs. The detection focuses on endpoint activity such as suspicious RuntimeHost.exe execution, scheduled task creation, silent msiexec.exe installation of a masqueraded DLL, Microsoft Defender exclusion changes, and suspicious ScreenConnect execution. Instead of relying solely on indicators of compromise such as domains, IP addresses, and file hashes, this detection approach uses behavior-based rules to provide stronger, longer-term coverage. The blog also includes safe attack emulation steps, expected Wazuh alerts, cleanup commands, and tuning recommendations for production environments where ScreenConnect may be legitimately used.
Read topic
June 9, 2026 | By Oliver Roca 1 min read

Step‑by‑step tutorial on how to secure Linux Server from bruteforce attack with fail2ban

Fail2Ban is a lightweight tool that protects Linux servers from brute‑force attacks by monitoring log files for repeated login failures and automatically blocking suspicious IPs through the firewall. It works in three steps: log monitoring, pattern detection, and IP banning. Configuration is done in a jail.local file where you set rules like maximum retries, time window, and ban duration. After restarting Fail2Ban, you can verify active jails and check banned IPs. Since log paths differ across Linux distributions, it’s important to specify the correct one. To avoid locking yourself out, whitelist your own IPs before enabling Fail2Ban.
Read topic