https://hexpysya.github.io/Recent content in Bubka on bubka hacks stuffHugo -- gohugo.ioen-usThu, 16 Apr 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-etherrat/Thu, 16 Apr 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-etherrat/An attacker breached Maromalix&rsquo;s public-facing web application by exploiting CVE-2025-55182 (Next.js Deserialization RCE). They deployed a multi-stage implant dubbed EtherRAT, which utilizes a blockchain-based C2 mechanism via Ethereum smart contracts to dynamically resolve infrastructure. The attacker exfiltrated sensitive data, established multiple persistence mechanisms, and ultimately patched the vulnerability to lock out other actors.https://hexpysya.github.io/blue_team/splunk-awsraid/Wed, 15 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-awsraid/An attacker conducted a brute-force attack to compromise the helpdesk.luke account, performed reconnaissance from various VPN IPs, exfiltrated sensitive data including customer backups and secrets, modified bucket permissions, and established persistence by creating an admin backdoor account.https://hexpysya.github.io/investigations/cdef-fakegpt/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-fakegpt/A malicious Chrome extension masquerading as ChatGPT uses anti analysis checks, hooks Facebook login forms, and acts as a keylogger, exfiltrating AES encrypted data via pixel tracking.https://hexpysya.github.io/investigations/cdef-lockdown/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-lockdown/An attacker performed SYN port scanning against an IIS server, enumerated open SMB shares, uploaded a webshell to the Documents share, triggered a reverse shell on port 4443, and established persistence via AgentTesla dropped into the Startup folder, which exfiltrated data via SMTP to cp8nl.hyperhost.ua.https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/A Click Fix phishing email impersonating Microsoft lured Dylan into visiting a malicious site, which executed a disguised PowerShell command launching mshta.exe to download Lumma Stealer payload from overcoatpassably.shop. The host was contained before confirmed data exfiltration.https://hexpysya.github.io/blue_team/ld-malicious-macro-has-been-executed/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-malicious-macro-has-been-executed/A phishing email from <a href="mailto:jake.admin@cybercommunity.info" >jake.admin@cybercommunity.info</a> delivered a ZIP-archived Word macro document, which executed a PowerShell downloader fetching messbox.exe from greyhathacker.net. The host Jayne was contained after execution was confirmed.https://hexpysya.github.io/blue_team/splunk-shadowroast/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-shadowroast/A masqueraded AdobeUpdater.exe binary established persistence via a registry Run key, injected into cmd.exe, performed AS-REP Roasting with Rubeus against four AD accounts, laterally moved to FileServer using cracked tcooper credentials, enabled RDP, and staged share data for exfiltration.https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/Mon, 13 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/An employee at CompliantSecure received a phishing email from emkei.cz, downloaded a malicious ISO containing BumbleBee loader 23.dll, which established C2 to 3.68.97.124 and injected into ImagingDevices.exe, dumped LSASS credentials, laterally moved to DC01 via PsExec using markw credentials, staged AdFind and AnyDesk, created sql_admin backdoor account, moved to FileServer01 and Support01, exfiltrated archived share data, and deployed Conti ransomware dropping R3ADM3.txt ransom notes.https://hexpysya.github.io/blue_team/splunk-goldenspray/Fri, 10 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-goldenspray/An attacker from 77.91.78.115 brute-forced mwilliams credentials, connected via RDP, dropped OfficeUpdater.exe with registry persistence, staged Backup_Tools including mimikatz, dumped lsass to obtain jsmith credentials, laterally moved to ST-DC01 and ST-FS01, established scheduled task persistence on the DC, and archived client data for exfiltration.https://hexpysya.github.io/blue_team/elk-black-basta/Thu, 09 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-black-basta/A finance employee opened a malicious Excel macro from a drive-by download, which executed a VBS dropper, loaded WindowsUpdaterFX.dll via regsvr32, established persistence, dropped Pancake.jpg.exe as a C2 backdoor, performed internal reconnaissance, laterally moved to a domain controller via PsExec using compromised credentials, exfiltrated client data to MEGA via rclone, deleted shadow copies, and deployed BlackBasta ransomware.https://hexpysya.github.io/blue_team/elk-perfect-survey/Wed, 08 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-perfect-survey/An attacker conducted reconnaissance with Nmap and WPScan against a WordPress site, exploited CVE-2021-24762 in the Perfect Survey plugin via SQLi to extract wp_users password hashes, then pivoted into Active Directory by Kerberoasting alonso.x, creating a rogue computer account, abusing RBCD, and escalating to domain administrator via AD CS certificate abuse.https://hexpysya.github.io/blue_team/elk-revil/Tue, 07 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-revil/An administrator executed facebook assistant.exe on a Windows Server 2019 host, which dropped REvil ransomware (Sodinokibi), spawned a PowerShell process that deleted Volume Shadow Copies, and dropped ransom notes across multiple user profile directories.https://hexpysya.github.io/blue_team/splunk-nerisbot/Tue, 07 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-nerisbot/A victim host downloaded multiple malicious executables via HTTP, including Emotet, ransomware, and trojan payloads, detected through Suricata IDS alerts and confirmed malicious via VirusTotal.https://hexpysya.github.io/blue_team/splunk-t1110-003/Tue, 07 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/splunk-t1110-003/An attacker from 192.168.1.60 (Kali) conducted a 5-minute RDP password spraying attack against dev.cyberdefenders.org, generating 4302 failed logon attempts across multiple usernames, and successfully authenticated as administrator and five other accounts via RDP.https://hexpysya.github.io/blue_team/ld-javascript-code-detected-in-requested-url/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-javascript-code-detected-in-requested-url/An external IP performed XSS reconnaissance against the /search/ endpoint, cycling through multiple injection payloads. All requests except the first returned HTTP 302, indicating server-side sanitization blocked execution. The attack did not succeed.https://hexpysya.github.io/blue_team/ld-ls-command-detected-in-requested-url/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-ls-command-detected-in-requested-url/Alert triggered on the string &rsquo;ls&rsquo; found in a legitimate search query parameter. The traffic originated from an internal IP to letsdefend.io and contains no malicious payload. False positive - rule lacks context awareness for partial string matches.https://hexpysya.github.io/blue_team/ld-passwd-found-in-requested-url---possible-lfi-attack/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-passwd-found-in-requested-url---possible-lfi-attack/An external Tencent Cloud IP sent a single LFI request targeting /etc/passwd via path traversal. The server returned HTTP 500 with an empty response body, confirming the attack did not succeed.https://hexpysya.github.io/blue_team/ld-idor/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-idor/External IP enumerated the /get_user_info/ endpoint via sequential IDOR requests, all returning HTTP 200 - confirming successful data exfiltration across five user accounts.https://hexpysya.github.io/blue_team/ld-whoami-command-detected-in-request-body/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-whoami-command-detected-in-request-body/An external attacker from a CHINANET-hosted IP (61.177.172.87) exploited a command injection vulnerability on WebServer1004, executing five OS commands via the ?c= parameter against /video/ - including cat /etc/passwd and cat /etc/shadow - all of which returned HTTP 200 with distinct response sizes, confirming successful remote code execution. The case was escalated to Tier 2.https://hexpysya.github.io/blue_team/cdef-qradar101/Wed, 01 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/cdef-qradar101/A user opened a malicious Word document that dropped FSETPBEUsIek.exe, which spawned a VBS script, injected into notepad.exe, established persistence via registry Run key, exfiltrated sami.xlsx to an attacker-controlled server, and triggered a Metasploit reverse shell detected by Suricata.https://hexpysya.github.io/blue_team/ld-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919/Tue, 31 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919/An attacker exploited CVE-2024-24919 against a Check Point Security Gateway, successfully reading /etc/passwd via a path traversal payload. A second request targeting /etc/shadow from a related IP was blocked. The attack succeeded and the endpoint was escalated to Tier 2.https://hexpysya.github.io/investigations/cdef-ramnit/Mon, 30 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-ramnit/Memory forensics of a compromised Windows host revealed ChromeSetup.exe spawned under explorer.exe, establishing a C2 connection to a Hong Kong-based IP. The dumped binary was identified as the Ramnit worm - flagged by 68/72 VirusTotal vendors.https://hexpysya.github.io/investigations/cdef-hawkeye/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-hawkeye/A victim host downloaded a HawkEye Keylogger dropper via HTTP, which established persistence, periodically checked the external IP via bot.whatismyipaddress.com, and exfiltrated harvested credentials every 10 minutes over SMTP.https://hexpysya.github.io/investigations/htb-liberty/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-liberty/Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.https://hexpysya.github.io/blue_team/ld-cve202553770-sharepoint-toolshell-auth-bypass-and-rce/Sun, 22 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-cve202553770-sharepoint-toolshell-auth-bypass-and-rce/An attacker exploited CVE-2025-53770 against a SharePoint server, achieving unauthenticated RCE via .NET deserialization. The attacker extracted the MachineKey, compiled and dropped a payload, planted a webshell in the SharePoint layouts directory, and established a reverse connection to the attacker-controlled server.https://hexpysya.github.io/blue_team/ld-possible-sql-injection-payload-detected/Sun, 22 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-possible-sql-injection-payload-detected/An external IP hosted on DigitalOcean performed a manual SQL injection reconnaissance against an internal web server, cycling through classic SQLi payloads. All requests returned HTTP 500, confirming the attack did not succeed.https://hexpysya.github.io/investigations/cdef-obfuscated/Wed, 18 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-obfuscated/A malicious Word document uses a password-protected AutoOpen macro to drop and execute js script, which decrypts an embedded blob into stage2.js. It is a implant that establishes persistence via a hidden scheduled task, collects system reconnaissance, and beacons to two compromised WordPress C2 servers, downloading and executing a next-stage .pif payloadhttps://hexpysya.github.io/blue_team/ld-phishing-alert/Tue, 17 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-phishing-alert/A phishing email with a password-protected ZIP delivered AsyncRAT via a SILENTBUILDER dropper. The victim executed the payload, establishing an active C2 channel and triggering full host reconnaissance before containment.https://hexpysya.github.io/blue_team/ld-malicious-attachment-detected---phishing-alert/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-malicious-attachment-detected---phishing-alert/Investigation of a phishing email delivering a malicious Excel attachment exploiting CVE-2017-11882, leading to payload download and privilege escalation via JuicyPotatohttps://hexpysya.github.io/blue_team/thm-phishing-unfolding/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/thm-phishing-unfolding/https://hexpysya.github.io/investigations/htb-lockpick3.0/Sun, 15 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-lockpick3.0/A ELF64 ransomware binary uses XOR string obfuscation keyed on a CLI passphrase, contacts a DigitalOcean C2 to register and retrieve an AES-256-CBC key and IV, recursively encrypts target files in /share/ renaming them to .24bes, exfiltrates the originals via HTTP PUT, zeroes and removes the source files, and installs a systemd service for persistence.https://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/Sat, 14 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/User Tony downloaded and executed a malicious PowerShell script (payload_1.ps1 / agent3.ps1) classified as trojan.powershell/boxter (Azorult family). The script bypassed execution policy, then fetched and invoked a second-stage payload from kionagranada.com (161.22.46.148), establishing a two-stage C2 chain with a final pivot to 91.236.116.163.https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/Tue, 10 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-bluesky-ransomware/An attacker performed a port scan, exploited a Microsoft SQL Server via the sa account, enabled xp_cmdshell to drop and execute a base64-encoded payload, then deployed a multi-stage PowerShell toolkit to disable AV, dump NTLM hashes, perform lateral movement via SMB, and stage the BlueSky ransomware payload.https://hexpysya.github.io/blue_team/thm-phishing/Tue, 10 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/thm-phishing/Three phishing campaigns were identified across four alerts: a legitimate HR onboarding email (false positive), a fake Amazon delivery notification whose bit.ly link was blocked by the firewall, and a Microsoft account spoofing email from m1crosoftsupport.co whose link was allowed through the firewallhttps://hexpysya.github.io/blue_team/wazuh-injection/Mon, 09 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/wazuh-injection/Detected a SQL Injection attack, observed 85 alerts across 6 rule IDs, and configured automated IP blocking via active response.https://hexpysya.github.io/investigations/htb-a-call-from-the-museum/Sat, 07 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-a-call-from-the-museum/A phishing email with a password-protected ZIP delivered an LNK file that executed an obfuscated PowerShell stager — collecting system fingerprint data, checking in to a C2, and fetching a next-stage implant using hardcoded credentials. A decoy PDF was opened simultaneously to distract the victim.https://hexpysya.github.io/investigations/htb-telly/Fri, 06 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-telly/An attacker exploited CVE-2026-24061, an authentication bypass in GNU inetutils telnetd, to obtain an unauthenticated root shell, established persistence via linper.sh across multiple cron and systemd locations, and exfiltrated a credit card database before deleting it from the victim server.https://hexpysya.github.io/investigations/cdef-tealer/Tue, 03 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-tealer/A Dridex loader DLL that dynamically resolves APIs via CRC32 hashing, uses int3/retn as an indirect call mechanism to evade analysis, decrypts embedded strings with RC4, and connects to four hardcoded C2 servers over HTTPS to download additional modules.https://hexpysya.github.io/blue_team/wazuh+suricata-malware-traffic/Mon, 02 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/wazuh+suricata-malware-traffic/Replayed a malicious PCAP file containing Hancitor dropper traffic that deployed Cobalt Strike, Dridex, and Ficker Stealer. Analyzed 423 Suricata alerts in Wazuh, reconstructed the full infection chain, and mapped findings to MITRE ATT&amp;CK.https://hexpysya.github.io/investigations/cdef-xworm/Sun, 01 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-xworm/A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.https://hexpysya.github.io/investigations/htb-secretpictures/Sat, 28 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-secretpictures/A Go-based backdoor that copies itself to a system directory, establishes persistence via a registry Run key, enumerates connected drives, and attempts to connect to a hardcoded C2 domain.https://hexpysya.github.io/investigations/htb-subatomic/Sat, 28 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-subatomic/A fake therapy installer distributed as an NSIS self-extracting archive delivers an Electron-based Node.js infostealer that performs anti-VM checks, injects malicious code into Discord clients, and exfiltrates browser credentials, cookies, autofill data, and Discord tokens to a hardcoded C2.https://hexpysya.github.io/investigations/htb-obfsc4t10n/Fri, 20 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-obfsc4t10n/A phishing HTML file masquerading as an invoice delivers a macro-enabled Excel workbook that drops and executes a multi-stage obfuscated HTA payload, ultimately injecting a reverse shell shellcode into rundll32.exe and establishing a C2 connection.https://hexpysya.github.io/blue_team/wazuh_ssh-brute-force/Fri, 20 Feb 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/wazuh_ssh-brute-force/Simulated an SSH brute force attack using Hydra, observed Wazuh detection across 7 rule IDs, identified a gap in default alerting (max level 10), wrote a custom rule to escalate severity to level 12, and configured automated IP blocking via active response.https://hexpysya.github.io/investigations/htb-workfromhome/Mon, 16 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-workfromhome/A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.https://hexpysya.github.io/investigations/htb-lupin/Sun, 08 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-lupin/Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.https://hexpysya.github.io/investigations/htb-easymoney/Thu, 05 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-easymoney/Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communicationhttps://hexpysya.github.io/investigations/htb-sneakykeys/Tue, 03 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-sneakykeys/https://hexpysya.github.io/investigations/htb-luckyshot/Mon, 02 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-luckyshot/https://hexpysya.github.io/investigations/htb-ghosttrace/Sat, 31 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-ghosttrace/Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.https://hexpysya.github.io/investigations/htb-packet-_puzzle/Sat, 31 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-packet-_puzzle/Analyzed network traffic showing exploitation of CVE-2024-4577 (PHP-CGI argument injection) against a Windows server running PHP 8.1.25. Attacker achieved RCE, established reverse shell on port 4545, then escalated privileges using GodPotato to spawn a SYSTEM-level shell on port 5555.https://hexpysya.github.io/investigations/htb-crashdump/Fri, 30 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-crashdump/Analyzed two process dumps (notepad.exe and update.exe) revealing a Cobalt Strike Beacon infection. The malware used process injection with reflective DLL loading, communicated with C2 server at <code>101.10.25.4:8023</code>, and possessed capabilities for privilege escalation, token manipulation, and lateral movement via named pipes.https://hexpysya.github.io/investigations/htb-mongobleed/Fri, 30 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-mongobleed/https://hexpysya.github.io/investigations/htb-wayback/Thu, 29 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-wayback/https://hexpysya.github.io/investigations/htb-bypass/Wed, 28 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-bypass/https://hexpysya.github.io/investigations/htb-cyberpsychosis/Wed, 28 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-cyberpsychosis/https://hexpysya.github.io/investigations/htb-partial_encryption/Mon, 26 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-partial_encryption/https://hexpysya.github.io/investigations/htb-rauth/Thu, 22 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-rauth/https://hexpysya.github.io/investigations/htb-hubbub/Wed, 21 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-hubbub/https://hexpysya.github.io/investigations/htb-obfsc4t10n2/Tue, 20 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-obfsc4t10n2/https://hexpysya.github.io/investigations/htb-conversor/Mon, 19 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-conversor/Flask web application vulnerable to path traversal during file uploads. Exploited by uploading Python reverse shell to cron-executed directory → gained www-data shell → extracted MD5 hashes from SQLite database → cracked password for user fismathack → leveraged CVE-2024-48990 in needrestart 3.7 for privilege escalation to root.https://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/Tue, 25 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.https://hexpysya.github.io/investigations/dropper-cs.exe-analysis/Sun, 23 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/dropper-cs.exe-analysis/C2 .NET implant. AES-encrypted config, HTTPS beacon to <code>192.168.248.128</code>, fileless in-memory execution, anti-debug via divide-by-zero.https://hexpysya.github.io/investigations/metasploit-adobe_pdf_embedded_exe_nojs/Sat, 22 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/metasploit-adobe_pdf_embedded_exe_nojs/A malicious PDF uses a Launch action to execute cmd.exe, which runs an inline VBScript that reads hex-encoded shellcode directly from the PDF body, writes it to disk as an executable, and launches a Metasploit reverse shell.https://hexpysya.github.io/investigations/metasploit-adobe-pdf-embedded-file/Fri, 21 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/metasploit-adobe-pdf-embedded-file/A malicious PDF exploits JavaScript and Launch actions to extract and execute an embedded PE payload, establishing a reverse shell connection to an attacker-controlled server.https://hexpysya.github.io/investigations/metasploit-office_word_hta/Fri, 21 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/metasploit-office_word_hta/A malicious RTF document exploits CVE-2017-0199 via an embedded OLE2Link object to fetch and execute a remote HTA payload from an attacker-controlled server.