Windows

HTB-WorkFromHome

February 16, 2026

DFIR Log Analysis Windows DLL Hijacking CryptnetUrlCache Event Viewer ChromeHistoryView MFTExplorer RegistryExplorer PECmd

A victim clicked a phishing link impersonating a corporate login page, leading to credential theft. The attacker used stolen credentials to gain RDP access, then escalated privileges via SeManageVolumeExploit, deployed malicious DLLs using certutil, and established persistence through a hidden VBS script in the Startup folder.

HTB-Lupin

February 8, 2026

Malware Analysis Reverse Engineering Windows PE PHORPIEX Clipboard Hijacking Cryptocurrency Stealer USB Spreading UPnP Exploitation NAT Traversal MotW Bypass IDA

Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.

HTB-EasyMoney

February 5, 2026

DFIR Log Analysis Windows CVE-2024-6473 DLL Hijacking Event Viewer MFTExplorer RegistryExplorer PECmd

Administrator executed a malicious shortcut that triggered a hidden PowerShell command, downloading and executing payload and gaining a shell access. The attacker enumerated installed software, identified a vulnerable Yandex Browser (CVE-2024-6473), and exploited DLL hijacking by planting a malicious library that acts as a dropper. This dropper deployed a Sliver C2 implant establishing persistence via a scheduled task and maintaining communication

HTB-SneakyKeys

February 3, 2026

Malware Analysis Network Analysis Reverse Engineering Windows PE ChaCha20 Wireshark IDA

HTB-Packet_Puzzle

January 31, 2026

SOC Network Analysis Windows CVE-2024-4577 T1190 Wireshark

Analyzed network traffic showing exploitation of CVE-2024-4577 (PHP-CGI argument injection) against a Windows server running PHP 8.1.25. Attacker achieved RCE, established reverse shell on port 4545, then escalated privileges using GodPotato to spawn a SYSTEM-level shell on port 5555.

HTB-GhostTrace

January 31, 2026

SOC Log Analysis Windows Active Directory Event Viewer Mimikatz PowerView

Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.

HTB-CrashDump

January 30, 2026

Malware Analysis Windows PE WinDBG Mini Dump Cobalt

Analyzed two process dumps (notepad.exe and update.exe) revealing a Cobalt Strike Beacon infection. The malware used process injection with reflective DLL loading, communicated with C2 server at 101.10.25.4:8023, and possessed capabilities for privilege escalation, token manipulation, and lateral movement via named pipes.

HTB-Bypass

January 28, 2026

Reverse Engineering Windows .NET Dnspy

HTB-Partial_Encryption

January 26, 2026

Reverse Engineering Windows PE Packer IDA X64dbg

PoshC2: Sharp_v4_x64.dll

November 25, 2025

Malware Analysis Reverse Engineering Shellcode Analysis PE DLL .NET Windows Dnspy IDA

A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.

↑