Archives
- 10 Jul No File, No Fixed C2: Inside NetCon, a WMI Backdoor That Reads Its Command Server Off the Blockchain
- 08 Jul Reading the ledger: how one Polygon smart contract exposed three ClickFix crews and 153 confirmed hacked websites
- 07 Jul feintnet: I got tired of FakeNet-NG not running on my ARM box, so I built my own
- 25 Jun Five layers deep for a stealer: reversing the "PuppetKing" ClickFix chain that ended in StealC
- 19 Jun Your RMM Has a Second Owner: Inside a Rogue ScreenConnect Credential Theft Campaign
- 17 Jun Thirty days of finger commands: three ClickFix families, one TCP/79 delivery vector
- 13 Jun The Panel Behind the Prompt: OSINT into a Live Lunex Stealer Network
- 12 Jun Telegram Handles, Binary-Encoded PHP, and a Relay Shell: Inside a WordPress Webshell Compromise
- 11 Jun They built a dictionary to hide their shellcode: the pishbini90ai ClickFix loader
- 11 Jun Fake captcha, five layers of RC4, and a Rust stealer with LSA session enumeration and AD recon
- 10 Jun The Node.js loader that locks its own strings to the folder it lives in
- 06 Jun A Fake "SystemHealth" Service, a Pyarmor Wall, and Three Ways to Get Paid
- 06 Jun The "SharePoint Helper" That Was Really a Localhost Backdoor
- 30 May The beacon that won't decrypt unless it beats AMSI: pulling apart a WMI-launched PowerShell loader
- 30 May Bring Your Own Node: a PowerShell stager, a blockchain dead-drop, and a RAT that runs on the real Node.js
- 30 May A signed OneDrive, a fake note-taking app, and a payload hiding in a PNG: one ClickFix chain, five stages deep
- 24 May Seven layers of obfuscation, one 1970s LOLBIN: pulling apart a ClickFix chain through finger.exe
- 24 May Twelve layers of obfuscation, one AMSI patch: pulling apart a ClickFix mshta loader
- 23 May A driver that wasn't a driver: dissecting a steganographic PowerShell beacon
- 23 May Welcome to BlueTeamCoolTeam