https://hexpysya.github.io/tags/sandbox/Recent content in Sandbox on bubka hacks stuffHugo -- gohugo.ioen-usSun, 01 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-xworm/Sun, 01 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-xworm/A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.https://hexpysya.github.io/investigations/htb-secretpictures/Sat, 28 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-secretpictures/A Go-based backdoor that copies itself to a system directory, establishes persistence via a registry Run key, enumerates connected drives, and attempts to connect to a hardcoded C2 domain.https://hexpysya.github.io/investigations/htb-obfsc4t10n/Fri, 20 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-obfsc4t10n/A phishing HTML file masquerading as an invoice delivers a macro-enabled Excel workbook that drops and executes a multi-stage obfuscated HTA payload, ultimately injecting a reverse shell shellcode into rundll32.exe and establishing a C2 connection.https://hexpysya.github.io/investigations/metasploit-adobe_pdf_embedded_exe_nojs/Sat, 22 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/metasploit-adobe_pdf_embedded_exe_nojs/A malicious PDF uses a Launch action to execute cmd.exe, which runs an inline VBScript that reads hex-encoded shellcode directly from the PDF body, writes it to disk as an executable, and launches a Metasploit reverse shell.https://hexpysya.github.io/investigations/metasploit-adobe-pdf-embedded-file/Fri, 21 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/metasploit-adobe-pdf-embedded-file/A malicious PDF exploits JavaScript and Launch actions to extract and execute an embedded PE payload, establishing a reverse shell connection to an attacker-controlled server.