Hello and welcome to the Wednesday, July 16th, 2025 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Orich, recording today from Washington, D.C.

And this episode is brought to you by the Sands.edu graduate certificate program in cyber defense operations.

Xagyi has recently been zooming in a little bit on alternate data streams,

and today in his diary he presents Yetner Find a Python script that implements a keystroke logger

and stores that data in an alternate data stream. In addition to keystroke

log data, it also adds clipboard content to the file that could then later be exfiltrated. That

exfiltration is not implemented in the script that Xavier found. It's just the collection of the data.

The file is also marked as hidden,

which I guess supposed to make it a little bit more difficult to find.

Of course, attributes like this aren't always that common,

so they could also be used as an indicator to find suspect file.

Same for alternate data streams.

All the data streams I've talked about in the past, they're being used for the zone identifier or the mark of the web.

However, otherwise not that terribly common. Well, Xavier shows a PowerShell script that you can use to easily find and extract some basic information about

alternate data stream to find potential malicious ones, or at least suspicious ones that

probably should look be closer. And Mac users, be aware, there's yet another

malvertising campaign out there trying to get you to install a malicious version of HomeProoo.

HomePro is a very popular package manager for macOS that allows you to install a lot of

great open source tools. In this particular case described by Deriv Tech, a user that attempt to Google Proo install

or install Prue and was then presented

with a malicious advertisement that directed them to

...