Karsten Hahn's Avatar

Karsten Hahn

@struppigel.bsky.social

295 Followers  |  25 Following  |  56 Posts  |  Joined: 29.11.2023  |  1.5857

Latest posts by struppigel.bsky.social on Bluesky

Malware Analysis - Trojanized NordVPN Setup, Beginner Sample
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Trojanized NordVPN Setup, Beginner Sample

πŸ¦” πŸ“Ή Video: Analysis of malicious NordVPN setup
➑️ beginner-suitable
➑️ sorry, no spoilers here ;)

www.youtube.com/watch?v=5-OY...

#MalwareAnalysisForHedgehogs

26.10.2025 06:02 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I am looking for good resources for Linux malware analysis, including books and courses.
If you have any recommendations please let me know.

15.10.2025 15:33 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Thank you @threatresearch.bsky.social

06.10.2025 13:04 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

My #VirusBulletin2025 loot 😍
I also met someone from vxunderground and all I got was this lousy sticker

30.09.2025 12:20 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Infected Steam game downloads malware disguised as patch A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information a...

Steam game BlockBlasters downloads malware
written by Arvin Tan

#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...

22.09.2025 09:04 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
AppSuite, OneStart & ManualFinder: The Nexus of Deception Having taken a look at AppSuite in one of our last articles, we have started pulling on a few loose threads to see where it would take us. It turns out that there are relationships with other maliciou...

My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder

www.gdatasoftware.com/blog/2025/09...

17.09.2025 02:30 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Tritt dem MalwareAnalysisForHedgehogs-Discord-Server bei! Sieh dir die MalwareAnalysisForHedgehogs-Community auf Discord an – hΓ€ng mit 152 anderen Mitgliedern ab und freu dich ΓΌber kostenlose Sprach- und Textchats.

Invite link for our Discord expired, because I did not change the default limit.
Here is a new one, this time without limit

discord.gg/8xB38EedHT

10.09.2025 14:31 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Theory - What breakpoints to set for unpacking
YouTube video by MalwareAnalysisForHedgehogs Malware Theory - What breakpoints to set for unpacking

πŸ¦” πŸ“Ή New video: What breakpoints to set for unpacking malware?
➑️ Steps of unpacking stub
➑️ Breakpoint targets
➑️ VirtualAlloc from user to kernel mode

#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...

08.09.2025 07:12 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Thanks!

02.09.2025 06:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Tritt dem MalwareAnalysisForHedgehogs-Discord-Server bei! Sieh dir die MalwareAnalysisForHedgehogs-Community auf Discord an – hΓ€ng mit 3 anderen Mitgliedern ab und freu dich ΓΌber kostenlose Sprach- und Textchats.

In light of the new course, I created a Discord server for MalwareAnalysisForHedghogs to discuss malware analysis related topics.

You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj

02.09.2025 06:55 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Malware Analysis - Intermediate Level Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more

My intermediate level malware analysis course is there.
60% off for the next two weeks.

malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...

01.09.2025 15:17 β€” πŸ‘ 9    πŸ” 6    πŸ’¬ 1    πŸ“Œ 0
Preview
Impostor Certificates It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…

This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.

Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.

squiblydoo.blog/2024/05/13/i...

31.08.2025 19:48 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor.

Our technical deep-dive about AppSuite PDF Editor backdoor is out πŸ“πŸ‘‡

www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite

28.08.2025 17:08 β€” πŸ‘ 6    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

IDA, why are you doing this?

I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?

27.08.2025 03:22 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image Post image Post image Post image

These PDF editors are functional but each contain a backdoor

➑️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...

URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai

#TamperedChef

20.08.2025 15:15 β€” πŸ‘ 8    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1
Driver Reversing 101

driver reversing 101
eversinc33.com/posts/driver...

16.08.2025 06:24 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Β 

Comprehensive analysis of #HijackLoader
by Ryan Weil

www.trellix.com/blogs/resear...

15.08.2025 04:46 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Thank you

14.08.2025 04:12 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
JustAskJacky: AI brings back real trojan horse malware Despite what some might make you believe, late Trojan Horses were a rare breed in the malware zoo. But thanks to AI and LLMs, they are back..

πŸ”New Blog: JustAskJacky -- AI brings back classical trojan horse malware

www.gdatasoftware.com/blog/2025/08...

#GDATA #GDATATechblog

14.08.2025 04:05 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Analysis Verdicts: There is more than Clean and Malicious
YouTube video by MalwareAnalysisForHedgehogs Analysis Verdicts: There is more than Clean and Malicious

πŸ¦” πŸ“Ή New Video: There is more than Clean and Malicious

➑️ 7 file analysis verdicts and what they mean

#MalwareAnalysisForHedgehogs #Verdicts
www.youtube.com/watch?v=XwT2...

09.08.2025 04:20 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1

The course will not be hosted on Udemy. I am very unhappy with it.

The Beginners' course will also be moved to the new platform.

04.08.2025 03:56 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Good news, the intermediate malware analysis course is almost finished.

I have currently a test student working through the course to get rid of mistakes that I do not notice.

04.08.2025 03:56 β€” πŸ‘ 6    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image Post image

Nikola Knežević created an overview of AsyncRAT forks and how they relate to each other. Great research.

#AsyncRAT #QuasarRAT
www.welivesecurity.com/en/eset-rese...

16.07.2025 05:24 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
A side by side comparison of the original output by Ghidra, and the LLM enriched output.

A side by side comparison of the original output by Ghidra, and the LLM enriched output.

Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n

01.07.2025 12:35 β€” πŸ‘ 8    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0
Malware Analysis - Virut's file infection, part 3
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Virut's file infection, part 3

πŸ¦” πŸ“Ή Virut Part III: File infection analysis and bait file creation

#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=FcXP...

05.07.2025 07:07 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
2025-06-29 - Supper is served - Humpty's RE Blog Recommend song to listen to while reading: If you find something off with what I say, please let me know. I'll gladly amend my content and credit you for the fix. Some thanks in alphabetical order

Blog: "Supper is served"
Excellent analysis article of the backdoor Supper by @c-b.io

c-b.io/2025-06-29+-...

30.06.2025 08:17 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Regarding the last point:

A conclusion makes sense if you have something to add that wasn't there before.

But if you just repeat what you wrote before, it is very boring. In those instances it is better to not add it at all. A blog is not a thesis.

29.06.2025 06:35 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Tips for newcomers to malware blog articles:

➑️You don't need to document every malware function. Focus on key areas
➑️Your text must be factually correct and it is okay to skip those details you are unsure about
➑️When you are done, just stop writing

29.06.2025 06:35 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
Threat Actors abuse signed ConnectWise application as malware builder Since March 2025, there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse th...

A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware
#GDATATechblog
www.gdatasoftware.com/blog/2025/06...

23.06.2025 09:57 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Virut's NTDLL Hooking and Process Infection, Part 2
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Virut's NTDLL Hooking and Process Infection, Part 2

Virut part II: process infection and NTDLL hooking πŸ¦”πŸ“Ή
➑️x64dbg scripting
➑️conditional breakpoints
➑️more import table resolving
➑️fixing control flow
➑️marking up hook code

#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=nuxn...

30.05.2025 13:27 β€” πŸ‘ 3    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

@struppigel is following 20 prominent accounts