Windows

PoshC2: Dropper-cs.exe

November 23, 2025

Malware Analysis Reverse Engineering Windows PE .NET PoshC2 Dnspy

C2 .NET implant. AES-encrypted config, HTTPS beacon to 192.168.248.128, fileless in-memory execution, anti-debug via divide-by-zero.

Metasploit: adobe_pdf_embedded_exe_nojs

November 22, 2025

Malware Analysis Windows PDF PE VBScript Pdfid Pdf-Parser Sandbox

A malicious PDF uses a Launch action to execute cmd.exe, which runs an inline VBScript that reads hex-encoded shellcode directly from the PDF body, writes it to disk as an executable, and launches a Metasploit reverse shell.

Metasploit: office_word_hta

November 21, 2025

Malware Analysis Windows RTF CVE-2017-0199 HTA Rtfobj

A malicious RTF document exploits CVE-2017-0199 via an embedded OLE2Link object to fetch and execute a remote HTA payload from an attacker-controlled server.

Metasploit: adobe-pdf-embedded-file

November 21, 2025

Malware Analysis Windows PDF PE JavaScript Pdfid Pdf-Parser Sandbox

A malicious PDF exploits JavaScript and Launch actions to extract and execute an embedded PE payload, establishing a reverse shell connection to an attacker-controlled server.

↑