c2 11
- No File, No Fixed C2: Inside NetCon, a WMI Backdoor That Reads Its Command Server Off the Blockchain
- Thirty days of finger commands: three ClickFix families, one TCP/79 delivery vector
- The Panel Behind the Prompt: OSINT into a Live Lunex Stealer Network
- Telegram Handles, Binary-Encoded PHP, and a Relay Shell: Inside a WordPress Webshell Compromise
- Fake captcha, five layers of RC4, and a Rust stealer with LSA session enumeration and AD recon
- The Node.js loader that locks its own strings to the folder it lives in
- The "SharePoint Helper" That Was Really a Localhost Backdoor
- The beacon that won't decrypt unless it beats AMSI: pulling apart a WMI-launched PowerShell loader
- Bring Your Own Node: a PowerShell stager, a blockchain dead-drop, and a RAT that runs on the real Node.js
- A signed OneDrive, a fake note-taking app, and a payload hiding in a PNG: one ClickFix chain, five stages deep
- A driver that wasn't a driver: dissecting a steganographic PowerShell beacon