The “Great Cannon” has been deployed again

December 4, 2019 | Chris Doman
Chris Doman

Chris Doman

Threat Engineer

I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal ( in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.

January 8, 2018 | Chris Doman

A North Korean Monero Cryptocurrency Miner

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with…

November 9, 2017 | Chris Doman

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers. Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections. LockCrypt doesn’t have heavy code…

Get the latest security news in your inbox.

Subscribe via Email

October 19, 2017 | Chris Doman

ARP Spoofing Used to Insert Malicious Adverts

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view. The open file server at http://222.186.11[.]182:9999 The Rar Archive One of the…

August 21, 2017 | Chris Doman

YARA Support and Other Recent Additions to OTX

AlienVault OTX now supports YARA rules! YARA rules are a great way of detecting, classifying and hunting for malware. We are happy to announce you can now develop, test and share YARA rules on AlienVault OTX. If you'd like to deploy these rules on your own network, here is a script to download the rules (and a big sample set…

August 17, 2017 | Chris Doman

The Upgraded AlienVault OTX API & Ways to Score Swag!

We've made a number of improvements to the depth of data in OTX recently, which are now available via the free API tool. Some of the API functions now include: Malware anti-virus and sandbox reports (example) A Whois API, including reverse whois and reverse SSL (example) View IP addresses that our telemetry indicates a specific network signature has fired on   …

June 21, 2017 | Chris Doman

SamSam Ransomware Targeted Attacks Continue

Normally new variants of ransomware families aren't particularly interesting. SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually. In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year. The attacks seem to peak…

May 6, 2017 | Chris Doman

MacronLeaks – A Timeline of Events

It's been a very familiar feeling reading about the documents leaked to impact the elections in France tomorrow. Often the best defence is to have a proper understanding of what has happened. A quick draft timeline of events from an analysis of document meta-data and forum posts is below. Attacks in March and April A number of domains, identified…

March 31, 2017 | Chris Doman

New Features in Open Threat Exchange (OTX)

Its been a busy couple of months for the OTX team, making lots of improvements to make OTX more useful for security researchers and InfoSec professionals. Thought it was time to give you and update. Here's what's new in OTX: Easier Way to Create Pulses We've rebuilt the way you create pulses from scratch. So you can…

January 26, 2017 | Chris Doman

The Evolution of Threat Intelligence

Hi! My name is Chris Doman and I‘ve just joined AlienVault to work on the Open Threat Exchange (OTX) platform. As a way to say hello, I’ve put down some thoughts on why I was so keen to come work on OTX. A lot has changed since I jumped into cyber security just 5 years ago. First there was…