2025

• 18 May Squeezing Cobalt Strike Threat Intelligence from Shodan
• 02 Jan Exploring VenomRAT Metadata and Encryption with YARA - #100DaysOfYara

2024

• 20 Jul Decompiling a JPHP Loader with binwalk and cfr
• 03 Mar Dissecting a Java Pikabot Dropper

2023

• 04 Aug Timelining a Malicious VHD for More Intelligence
• 23 Jul Malware via VHD Files, an Excellent Choice
• 14 Jul Faster Malware Triage with YARA
• 25 Feb NetSupport Manager RAT from a Malicious Installer
• 23 Jan BATLoader, Ursnif, and Redline, oh my!
• 07 Jan .NET Downloader Leading to OriginLogger

2022

• 22 Oct Malware Weight Loss the Fast Way with Foremost
• 15 Oct Bad Guys Hate This Trick for Malware Weight Loss!
• 07 Aug Analyzing .NET Core Single File Samples (DUCKTAIL Case Study)
• 13 May Analyzing a Pirrit adware installer
• 24 Apr Shortcut to Emotet, an odd TTP change
• 16 Apr Snip3 Crypter used with DCRat via VBScript
• 26 Mar An AgentTesla Sample Using VBA Macros and Certutil
• 25 Mar Formbook Distributed Via VBScript, PowerShell, and C# Code
• 04 Mar Aggah PPAM macros renaming MSHTA
• 12 Feb Analyzing a Stealer MSI using msitools
• 11 Feb XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets
• 06 Feb AgentTesla From RTF Exploitation to .NET Tradecraft
• 03 Feb njRAT Installed from a MSI
• 02 Feb STRRAT Attached to a MSI File
• 27 Jan GuLoader Executing Shellcode Using Callback Functions
• 23 Jan HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
• 22 Jan BazarISO Analysis - Loading with Advpack.dll
• 18 Jan Extracting Payloads from Excel-DNA XLL Add-Ins
• 17 Jan Emotet's Excel 4.0 Macros Dropping DLLs
• 16 Jan Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
• 09 Jan Inspecting a PowerShell Cobalt Strike Beacon
• 07 Jan Looking at PowerPoint Macros with Olevba
• 06 Jan Decoding an Encoded Webshell Using NodeJS
• 05 Jan Adventures in YARA Hashing and Entropy
• 04 Jan Extracting Indicators from a Packed Mirai Sample
• 03 Jan A Tale of Two Dropper Scripts for Agent Tesla
• 02 Jan Analyzing a Magnitude EK Appx Package Dropping Magniber
• 01 Jan Analyzing an IcedID Loader Document

2021

• 12 Dec Analyzing a Log4Shell log4j Exploit from Muhstik
• 05 Sep Smarter, Not Harder: Getting Malware to Help You Analyze It
• 02 Sep Getting PE Rich Header Hashes with pefile in Python
• 10 Jul Extracting Malicious Payloads from SFX Self-Extracting Installers
• 08 Feb Analyzing an Empire macOS PKG Stager
• 01 Feb How Qbot Uses Esentutl

2020

• 06 Feb Linux EDR Evasion With Meterpreter and LD_PRELOAD
• 13 Jan Exploiting Yum and DNF Plugins for Persistence
• 09 Jan When Local Password Resets Aren't Local

2019

• 29 Aug Whitelisting LD_PRELOAD for Fun and No Profit
• 28 Aug Adding Process Hiding to Merlin
• 18 Jan Making Meterpreter Look Google Signed

2018

• 26 Aug My SANS DFIR NetWars Experience