bubka hacks stuff

CDEF-EtherRAT

Thu, 16 Apr 2026 00:00:00 +0000

An attacker breached Maromalix’s public-facing web application by exploiting CVE-2025-55182 (Next.js Deserialization RCE). They deployed a multi-stage implant dubbed EtherRAT, which utilizes a blockchain-based C2 mechanism via Ethereum smart contracts to dynamically resolve infrastructure. The attacker exfiltrated sensitive data, established multiple persistence mechanisms, and ultimately patched the vulnerability to lock out other actors.

CDEF-FakeGPT

Tue, 14 Apr 2026 00:00:00 +0000

A malicious Chrome extension masquerading as ChatGPT uses anti analysis checks, hooks Facebook login forms, and acts as a keylogger, exfiltrating AES encrypted data via pixel tracking.

CDEF-Lockdown

Tue, 14 Apr 2026 00:00:00 +0000

An attacker performed SYN port scanning against an IIS server, enumerated open SMB shares, uploaded a webshell to the Documents share, triggered a reverse shell on port 4443, and established persistence via AgentTesla dropped into the Startup folder, which exfiltrated data via SMTP to cp8nl.hyperhost.ua.

CDEF-Ramnit

Mon, 30 Mar 2026 00:00:00 +0000

Memory forensics of a compromised Windows host revealed ChromeSetup.exe spawned under explorer.exe, establishing a C2 connection to a Hong Kong-based IP. The dumped binary was identified as the Ramnit worm - flagged by 68/72 VirusTotal vendors.

CDEF-HawkEye

Wed, 25 Mar 2026 00:00:00 +0000

A victim host downloaded a HawkEye Keylogger dropper via HTTP, which established persistence, periodically checked the external IP via bot.whatismyipaddress.com, and exfiltrated harvested credentials every 10 minutes over SMTP.

HTB-Liberty

Wed, 25 Mar 2026 00:00:00 +0000

Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.

CDEF-Obfuscated

Wed, 18 Mar 2026 00:00:00 +0000

A malicious Word document uses a password-protected AutoOpen macro to drop and execute js script, which decrypts an embedded blob into stage2.js. It is a implant that establishes persistence via a hidden scheduled task, collects system reconnaissance, and beacons to two compromised WordPress C2 servers, downloading and executing a next-stage .pif payload

HTB-Lockpick3.0

Sun, 15 Mar 2026 00:00:00 +0000

A ELF64 ransomware binary uses XOR string obfuscation keyed on a CLI passphrase, contacts a DigitalOcean C2 to register and retrieve an AES-256-CBC key and IV, recursively encrypts target files in /share/ renaming them to .24bes, exfiltrates the originals via HTTP PUT, zeroes and removes the source files, and installs a systemd service for persistence.

CDEF-BlueSky Ransomware

Tue, 10 Mar 2026 00:00:00 +0000

An attacker performed a port scan, exploited a Microsoft SQL Server via the sa account, enabled xp_cmdshell to drop and execute a base64-encoded payload, then deployed a multi-stage PowerShell toolkit to disable AV, dump NTLM hashes, perform lateral movement via SMB, and stage the BlueSky ransomware payload.

HTB-A Call from the Museum

Sat, 07 Mar 2026 00:00:00 +0000

A phishing email with a password-protected ZIP delivered an LNK file that executed an obfuscated PowerShell stager — collecting system fingerprint data, checking in to a C2, and fetching a next-stage implant using hardcoded credentials. A decoy PDF was opened simultaneously to distract the victim.

HTB-Telly

Fri, 06 Mar 2026 00:00:00 +0000

An attacker exploited CVE-2026-24061, an authentication bypass in GNU inetutils telnetd, to obtain an unauthenticated root shell, established persistence via linper.sh across multiple cron and systemd locations, and exfiltrated a credit card database before deleting it from the victim server.

CDEF-$tealer

Tue, 03 Mar 2026 00:00:00 +0000

A Dridex loader DLL that dynamically resolves APIs via CRC32 hashing, uses int3/retn as an indirect call mechanism to evade analysis, decrypts embedded strings with RC4, and connects to four hardcoded C2 servers over HTTPS to download additional modules.

CDEF-XWorm

Sun, 01 Mar 2026 00:00:00 +0000

A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.

HTB-SecretPictures

Sat, 28 Feb 2026 00:00:00 +0000

A Go-based backdoor that copies itself to a system directory, establishes persistence via a registry Run key, enumerates connected drives, and attempts to connect to a hardcoded C2 domain.

HTB-Subatomic

Sat, 28 Feb 2026 00:00:00 +0000

A fake therapy installer distributed as an NSIS self-extracting archive delivers an Electron-based Node.js infostealer that performs anti-VM checks, injects malicious code into Discord clients, and exfiltrates browser credentials, cookies, autofill data, and Discord tokens to a hardcoded C2.

HTB-oBfsC4t10n

Fri, 20 Feb 2026 00:00:00 +0000

A phishing HTML file masquerading as an invoice delivers a macro-enabled Excel workbook that drops and executes a multi-stage obfuscated HTA payload, ultimately injecting a reverse shell shellcode into rundll32.exe and establishing a C2 connection.

HTB-WorkFromHome

Mon, 16 Feb 2026 00:00:00 +0000

A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.

HTB-Lupin

Sun, 08 Feb 2026 00:00:00 +0000

Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.

HTB-EasyMoney

Thu, 05 Feb 2026 00:00:00 +0000

Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communication

HTB-SneakyKeys

Tue, 03 Feb 2026 00:00:00 +0000

HTB-LuckyShot

Mon, 02 Feb 2026 00:00:00 +0000

HTB-GhostTrace

Sat, 31 Jan 2026 00:00:00 +0000

Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.

HTB-Packet_Puzzle

Sat, 31 Jan 2026 00:00:00 +0000

Analyzed network traffic showing exploitation of CVE-2024-4577 (PHP-CGI argument injection) against a Windows server running PHP 8.1.25. Attacker achieved RCE, established reverse shell on port 4545, then escalated privileges using GodPotato to spawn a SYSTEM-level shell on port 5555.

HTB-CrashDump

Fri, 30 Jan 2026 00:00:00 +0000

Analyzed two process dumps (notepad.exe and update.exe) revealing a Cobalt Strike Beacon infection. The malware used process injection with reflective DLL loading, communicated with C2 server at 101.10.25.4:8023, and possessed capabilities for privilege escalation, token manipulation, and lateral movement via named pipes.

HTB-MangoBleed

Fri, 30 Jan 2026 00:00:00 +0000

HTB-Wayback

Thu, 29 Jan 2026 00:00:00 +0000

HTB-Bypass

Wed, 28 Jan 2026 00:00:00 +0000

HTB-Cyberpsychosis

Wed, 28 Jan 2026 00:00:00 +0000

HTB-Partial_Encryption

Mon, 26 Jan 2026 00:00:00 +0000

HTB-RAuth

Thu, 22 Jan 2026 00:00:00 +0000

HTB-Hubbub

Wed, 21 Jan 2026 00:00:00 +0000

HTB-oBfsC4t10n2

Tue, 20 Jan 2026 00:00:00 +0000

HTB-Conversor

Mon, 19 Jan 2026 00:00:00 +0000

Flask web application vulnerable to path traversal during file uploads. Exploited by uploading Python reverse shell to cron-executed directory → gained www-data shell → extracted MD5 hashes from SQLite database → cracked password for user fismathack → leveraged CVE-2024-48990 in needrestart 3.7 for privilege escalation to root.

PoshC2: Sharp_v4_x64.dll

Tue, 25 Nov 2025 00:00:00 +0000

A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.

PoshC2: Dropper-cs.exe

Sun, 23 Nov 2025 00:00:00 +0000

C2 .NET implant. AES-encrypted config, HTTPS beacon to 192.168.248.128, fileless in-memory execution, anti-debug via divide-by-zero.

Metasploit: adobe_pdf_embedded_exe_nojs

Sat, 22 Nov 2025 00:00:00 +0000

A malicious PDF uses a Launch action to execute cmd.exe, which runs an inline VBScript that reads hex-encoded shellcode directly from the PDF body, writes it to disk as an executable, and launches a Metasploit reverse shell.

Metasploit: adobe-pdf-embedded-file

Fri, 21 Nov 2025 00:00:00 +0000

A malicious PDF exploits JavaScript and Launch actions to extract and execute an embedded PE payload, establishing a reverse shell connection to an attacker-controlled server.

Metasploit: office_word_hta

Fri, 21 Nov 2025 00:00:00 +0000

A malicious RTF document exploits CVE-2017-0199 via an embedded OLE2Link object to fetch and execute a remote HTA payload from an attacker-controlled server.