Jérémy SCION

Principal Threat Researcher

Articles by
Jérémy SCION

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Threat Research & Intelligence
TDR
June 16, 2026

Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework

This report details the ErrTraffic threat and its associated ecosystem, highlighting three specific campaigns and their operators' arsenal.

By
Jérémy SCION
By
Quentin BOURGUE
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
December 22, 2025

Advent Of Configuration Extraction – Part 4: Turning capa Into A Configuration Extractor For TinyShell variant

Learn how to extract TinyShell configuration data using capa, Capstone and Python to recover RC4-encrypted C2 settings from Linux malware.

By
Pierre LE BOURHIS
By
Jérémy SCION
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
December 15, 2025

Advent of Configuration Extraction – Part 3: Mapping GOT/PLT and Disassembling the SNOWLIGHT Loader

In-depth analysis of the Snowlight malware loader, focusing on GOT/PLT mapping and ELF disassembly for configuration extraction.

By
Jérémy SCION
By
Pierre LE BOURHIS
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
December 8, 2025

Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration

Learn how QuasarRAT configuration extraction works using pythonnet, dnlib and IL analysis to recover encrypted .NET malware settings.

By
Jérémy SCION
By
Pierre LE BOURHIS
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
December 1, 2025

Advent of Configuration Extraction – Part 1: Pipeline Overview - First Steps with Kaiji Configuration Unboxing

Learn how TDR automates Kaiji configuration extraction using Assemblyline, introducing the malware analysis pipeline and MACO-based workflows

By
Jérémy SCION
By
Pierre LE BOURHIS
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
November 6, 2025

Phishing Campaigns "I Paid Twice" Targeting Booking.com Hotels and Customers

Sekoia.io exposes a Booking.com phishing campaign targeting hotels and customers using ClickFix and PureRAT malware.

By
Jérémy SCION
By
Quentin BOURGUE
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
September 30, 2025

Silent Smishing : The Hidden Abuse of Cellular Router APIs

How attackers abuse Milesight cellular router APIs to run smishing at scale via unauthenticated SMS endpoints—targeting Belgium (CSAM/eBox).

By
Jérémy SCION
By
Marc NEBOUT
& more
View more
Threat Research & Intelligence
TDR
May 27, 2025

The Sharp Taste of Mimo'lette: Analyzing Mimo’s Latest Campaign targeting Craft CMS

Analysis of the CVE-2025-32432 compromise chain by Mimo: exploitation, loader, crypto miner, proxyware, and detection opportunities.

By
Jérémy SCION
By
Pierre LE BOURHIS
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
May 22, 2025

ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.

This blog post analyzes the Vicious Trap, a honeypot network deployed on compromised edge devices.

By
Félix AIME
By
Jérémy SCION
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
February 25, 2025

PolarEdge: Unveiling an uncovered ORB network

This blog post analyzes the PolarEdge backdoor and its associated botnet, offering insights into the adversary’s infrastructure.

By
Jérémy SCION
By
Félix AIME
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
November 19, 2024

Helldown Ransomware: an overview of this emerging threat

This blogpost provide a comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs).

By
Jérémy SCION
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
November 5, 2024

ClickFix tactic: Revenge of detection

This blog post provides an overview of the observed Clickfix clusters and suggests detection rules based on an analysis of the various infection methods employed.

By
Jérémy SCION
By
Threat Detection & Research Team
& more
View more
Threat Research & Intelligence
TDR
September 30, 2024

Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

On 17 September 2024, Sekoia’s Threat Detection & Research (TDR) team identified a notable infection chain targeting both Windows and Linux systems through our Oracle WebLogic honeypot. The attacker exploited CVE-2017-10271 and CVE-2020-14883 Weblogi

By
Jérémy SCION
& more
View more
Threat Research & Intelligence
TDR
July 23, 2024

Solving the 7777 Botnet enigma: A cybersecurity quest

Discover 7777 botnet (aka Quad7) and its activity, targets, and use of TP-Link routers in Microsoft 365 attacks in our latest investigation.

By
Threat Detection & Research Team
By
Félix AIME
By
Pierre-Antoine DUCHANGE
By
Charles MESLAY
By
Grégoire CLERMONT
& more
View more
Threat Research & Intelligence
TDR
May 13, 2024

Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns

Learn about the techniques used by the Mallox ransomware affiliate to compromise an MS-SQL server. Dive into our detailed technical analysis.

By
Threat Detection & Research Team
By
Jérémy SCION
By
Livia TIBIRNA
By
Pierre LE BOURHIS
& more
View more
Threat Research & Intelligence
December 11, 2023

ActiveMQ CVE-2023-46604 Exploited by Kinsing: Threat Analysis

Discover a technical analysis of the exploitation of the CVE-2023-46604 vulnerability by Kinsing intrusion set.

By
Jérémy SCION
By
Threat Detection & Research Team
& more
View more