· bubka hacks stuff

Malware Analysis (21) Reverse Engineering (14) SIEM (27) SOC (31)

.NET (4) AbuseIPDB (9) Active Directory (5) AD CS (1) AdFind (1) AES (3) AgentTesla (1) Anti-Debugging (1) Anti-VM (2) ANY.RUN (1) AnyDesk (1) AS-REP Roasting (1) AsyncRAT (1) Avr (1) AWS (1) BlackBasta (1) Blockchain (1) Broken Access Control (1) BruteForce (4) BumbleBee (1) Capa (1) CAPEv2 (1) ChaCha20 (1) ChromeHistoryView (1) Click Fix (1) Clipboard Hijacking (2) CloudTrail (1) Cobalt (1) Command Injection (1) Conti (1) CRC32 (1) Credential Dumping (2) CryptnetUrlCache (1) Cryptocurrency Stealer (2) CVE-2017-0199 (1) CVE-2017-11882 (1) CVE-2021-24762 (1) CVE-2024-14847 (1) CVE-2024-24919 (1) CVE-2024-4577 (1) CVE-2024-48990 (1) CVE-2024-6473 (1) CVE-2025-53770 (1) CVE-2025-55182 (1) CVE-2026-24061 (1) Debug (1) DFIR (8) DigitalOcean (1) DLL (2) DLL Hijacking (2) DNS Tunneling (1) Dnspy (4) Doc (1) Dridex (1) Dynamic API Resolution (1) EDR (16) ELF (4) ELF64 (1) ELK (5) Emotet (1) Endpoint Forensic (1) Escalation to L2 (7) Ethereum (1) EtherRAT (1) Event Viewer (4) Excel (1) Extension (1) False Positive (1) File-Upload (1) Fileless Malware (2) Ghidra (1) Golang (1) GOLD CABIN (1) HashDB (1) Heaven's Gate (1) HTA (2) IAM (1) IDA (9) IDOR (1) IDS (2) IIS (1) Indirect Calls (1) Infostealer (3) Injection (1) Installer (1) ISO (1) JavaScript (5) JuicyPotato (1) Kerberoasting (1) Keylogger (2) LFI (2) Linux (10) LKM (1) LNK (4) Loader (1) Log Analysis (27) LOLbins (4) Lsass (2) Lumma Stealer (1) MEGA (1) Memory Analysis (2) MFTExplorer (3) Mimikatz (3) Mini Dump (1) Mongodb (1) MotW Bypass (1) Mshta (1) MSSQL (1) NAT Traversal (1) Needrestart (1) Network Analysis (8) Nmap (3) No Escalation (4) NSIS (1) Oleid (1) Olevba (2) Packer (1) Password Spraying (1) Path Traversal (3) PCAP (3) PDF (3) Pdf-Parser (2) Pdfid (2) PE (12) PECmd (2) Phishing (11) PHORPIEX (1) PoshC2 (1) Powercat (1) PowerShell (8) PowerView (2) Privilege Escalation (1) ProcDump (1) Process Injection (3) PsExec (3) Qradar (1) Ransomware (6) RAT (2) RBCD (1) RC4 (1) RCE (3) RDP (3) RegistryExplorer (2) REvil (1) Rootkit (1) RTF (1) Rtfobj (1) Rubeus (1) Rust (1) Rust-Gdb (1) S3 (1) Salsa20 (1) Sandbox (5) Sandbox Evasion (1) Scdbg (1) Self-Extracting Archive (1) SharePoint (1) Shellcode Analysis (2) Smart Contract (1) SMB (1) SMTP (1) Splunk (6) SQL Injection (3) Sqlite (1) Sqlmap (1) Srand (1) Suricata (2) Sysmon (2) T1053.003 (1) T1098.004 (1) T1110 (1) T1136.001 (1) T1190 (1) T1543.002 (1) Telnet (1) TLS Sniffer (1) Tor (1) True Positive (13) UPnP Exploitation (1) UPX (1) USB Spreading (1) VBA (4) VBScript (1) Vectored Exception Handling (1) VirusTotal (13) Vmonkey (1) Volatility3 (3) Wazuh (3) Web (1) Web Attack (8) WinDBG (1) Windows (24) Wireshark (6) WMI (1) WordPress (1) WPScan (1) X64dbg (1) Xlm-Macros (1) Xlmdeobfuscator (1) Xlsx (1) XSS (1) XWorm (1) Zeek (1)

2026

HTB-Telly

March 6, 2026

SOC Network Analysis CVE-2026-24061 Telnet Wireshark

An attacker exploited CVE-2026-24061, an authentication bypass in GNU inetutils telnetd, to obtain an unauthenticated root shell, established persistence via linper.sh across multiple cron and systemd locations, and exfiltrated a credit card database before deleting it from the victim server.

CDEF-$tealer

March 3, 2026

Malware Analysis Reverse Engineering PE DLL Windows Dridex Loader Heaven's Gate Dynamic API Resolution Indirect Calls Vectored Exception Handling Anti-Debugging Anti-VM RC4 CRC32 IDA Capa HashDB CAPEv2

A Dridex loader DLL that dynamically resolves APIs via CRC32 hashing, uses int3/retn as an indirect call mechanism to evade analysis, decrypts embedded strings with RC4, and connects to four hardcoded C2 servers over HTTPS to download additional modules.

CDEF-XWorm

March 1, 2026

Malware Analysis Reverse Engineering PE Windows .NET RAT XWorm Clipboard Hijacking Cryptocurrency Stealer Dnspy Sandbox

A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.

HTB-Subatomic

February 28, 2026

Malware Analysis Windows PE Installer Self-Extracting Archive JavaScript Debug NSIS

A fake therapy installer distributed as an NSIS self-extracting archive delivers an Electron-based Node.js infostealer that performs anti-VM checks, injects malicious code into Discord clients, and exfiltrates browser credentials, cookies, autofill data, and Discord tokens to a hardcoded C2.

HTB-SecretPictures

February 28, 2026

Malware Analysis PE Windows Sandbox Golang

A Go-based backdoor that copies itself to a system directory, establishes persistence via a registry Run key, enumerates connected drives, and attempts to connect to a hardcoded C2 domain.

HTB-oBfsC4t10n

February 20, 2026

Malware Analysis Shellcode Analysis Sandbox Windows VBA HTA Process Injection Olevba Vmonkey Scdbg

A phishing HTML file masquerading as an invoice delivers a macro-enabled Excel workbook that drops and executes a multi-stage obfuscated HTA payload, ultimately injecting a reverse shell shellcode into rundll32.exe and establishing a C2 connection.

HTB-WorkFromHome

February 16, 2026

DFIR Log Analysis Windows DLL Hijacking CryptnetUrlCache Event Viewer ChromeHistoryView MFTExplorer RegistryExplorer PECmd

A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.

HTB-Lupin

February 8, 2026

Malware Analysis Reverse Engineering Windows PE PHORPIEX Clipboard Hijacking Cryptocurrency Stealer USB Spreading UPnP Exploitation NAT Traversal MotW Bypass IDA

Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.

HTB-EasyMoney

February 5, 2026

DFIR Log Analysis Windows CVE-2024-6473 DLL Hijacking Event Viewer MFTExplorer RegistryExplorer PECmd

Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communication

HTB-SneakyKeys

February 3, 2026

Malware Analysis Network Analysis Reverse Engineering Windows PE ChaCha20 Wireshark IDA

↑