https://hexpysya.github.io/tags/lnk/Recent content in LNK on bubka hacks stuffHugo -- gohugo.ioen-usMon, 13 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/Mon, 13 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/elk-bumblebee---gold-cabin/An employee at CompliantSecure received a phishing email from emkei.cz, downloaded a malicious ISO containing BumbleBee loader 23.dll, which established C2 to 3.68.97.124 and injected into ImagingDevices.exe, dumped LSASS credentials, laterally moved to DC01 via PsExec using markw credentials, staged AdFind and AnyDesk, created sql_admin backdoor account, moved to FileServer01 and Support01, exfiltrated archived share data, and deployed Conti ransomware dropping R3ADM3.txt ransom notes.https://hexpysya.github.io/investigations/htb-liberty/Wed, 25 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-liberty/Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.https://hexpysya.github.io/blue_team/thm-phishing-unfolding/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/thm-phishing-unfolding/https://hexpysya.github.io/investigations/htb-a-call-from-the-museum/Sat, 07 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-a-call-from-the-museum/A phishing email with a password-protected ZIP delivered an LNK file that executed an obfuscated PowerShell stager — collecting system fingerprint data, checking in to a C2, and fetching a next-stage implant using hardcoded credentials. A decoy PDF was opened simultaneously to distract the victim.