PE on bubka hacks stuff

CDEF-$tealer

Tue, 03 Mar 2026 00:00:00 +0000

A Dridex loader DLL that dynamically resolves APIs via CRC32 hashing, uses int3/retn as an indirect call mechanism to evade analysis, decrypts embedded strings with RC4, and connects to four hardcoded C2 servers over HTTPS to download additional modules.

CDEF-XWorm

Sun, 01 Mar 2026 00:00:00 +0000

A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.

HTB-SecretPictures

Sat, 28 Feb 2026 00:00:00 +0000

A Go-based backdoor that copies itself to a system directory, establishes persistence via a registry Run key, enumerates connected drives, and attempts to connect to a hardcoded C2 domain.

HTB-Subatomic

Sat, 28 Feb 2026 00:00:00 +0000

A fake therapy installer distributed as an NSIS self-extracting archive delivers an Electron-based Node.js infostealer that performs anti-VM checks, injects malicious code into Discord clients, and exfiltrates browser credentials, cookies, autofill data, and Discord tokens to a hardcoded C2.

HTB-Lupin

Sun, 08 Feb 2026 00:00:00 +0000

Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.

HTB-SneakyKeys

Tue, 03 Feb 2026 00:00:00 +0000

HTB-CrashDump

Fri, 30 Jan 2026 00:00:00 +0000

Analyzed two process dumps (notepad.exe and update.exe) revealing a Cobalt Strike Beacon infection. The malware used process injection with reflective DLL loading, communicated with C2 server at 101.10.25.4:8023, and possessed capabilities for privilege escalation, token manipulation, and lateral movement via named pipes.

HTB-Partial_Encryption

Mon, 26 Jan 2026 00:00:00 +0000

PoshC2: Sharp_v4_x64.dll

Tue, 25 Nov 2025 00:00:00 +0000

A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.

PoshC2: Dropper-cs.exe

Sun, 23 Nov 2025 00:00:00 +0000

C2 .NET implant. AES-encrypted config, HTTPS beacon to 192.168.248.128, fileless in-memory execution, anti-debug via divide-by-zero.

Metasploit: adobe_pdf_embedded_exe_nojs

Sat, 22 Nov 2025 00:00:00 +0000

A malicious PDF uses a Launch action to execute cmd.exe, which runs an inline VBScript that reads hex-encoded shellcode directly from the PDF body, writes it to disk as an executable, and launches a Metasploit reverse shell.

Metasploit: adobe-pdf-embedded-file

Fri, 21 Nov 2025 00:00:00 +0000

A malicious PDF exploits JavaScript and Launch actions to extract and execute an embedded PE payload, establishing a reverse shell connection to an attacker-controlled server.