Karsten Hahn's Avatar

Karsten Hahn

@struppigel.bsky.social

311 Followers  |  26 Following  |  78 Posts  |  Joined: 29.11.2023  |  1.3327

Latest posts by struppigel.bsky.social on Bluesky

Post image

I created an extraction script for custom PyInstaller applications as seen in suspected EvilAI PDF apps.

Script (modified pyinstxtractor-ng): github.com/struppigel/h...

Article: samplepedia.cc/sample/8c9d9...

01.02.2026 12:23 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

#Samplepedia updates

* you can upload images for articles
* view count for samples and articles
* expert difficulty available
samplepedia.cc

01.02.2026 05:48 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
anyPDF decompilation - a highly evasive, fully undetected, signed PDF editor bundled with AdClicker Trojan and Spyware In this post, we will decrypt a highly evasive C# malicious sample that is fully undetected and inspect it's source code using dnSpy.

anyPDF malware analysis report

rifteyy.org/report/anypd...

28.01.2026 04:44 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1

That's very useful, thank you!

27.01.2026 15:29 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Trainings Samples

Samples are in samplepedia.cc?tag=openxml

25.01.2026 07:31 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Malicious MS Office files without Macros
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Malicious MS Office files without Macros

πŸ¦” πŸ“Ή New Video: Can office files be malicious without Macros?

➑️ VSTO Add-Ins
➑️ External Templates
➑️ Checklist for Office analysis
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=RtHH...

25.01.2026 07:30 β€” πŸ‘ 6    πŸ” 4    πŸ’¬ 2    πŸ“Œ 1
Post image

If you like binary refinery, check out this sample
It's also mostly undetected yet on VT:
samplepedia.cc/sample/361f2...

23.01.2026 19:13 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1
Floxif File Infector with Control Flow Obfuscation Analysis (Stream - 06/01/2026)
YouTube video by Invoke RE Floxif File Infector with Control Flow Obfuscation Analysis (Stream - 06/01/2026)

@invokereversing.bsky.social is analyzing Floxif with binary ninja
πŸ‘‡
www.youtube.com/watch?v=2F_B...

16.01.2026 04:40 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

Samplepedia update: Users can submit their own images with the samples and there is a platform field.

samplepedia.cc

08.01.2026 04:32 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

I have created a website, where you can share your sample analysis (via links or posts) and search samples for training based on tags and difficulty.

If you write analysis blogs, you can share them there.
samplepedia.cc

04.01.2026 05:53 β€” πŸ‘ 14    πŸ” 7    πŸ’¬ 0    πŸ“Œ 1
Preview
hedgehog-tools/Python helper scripts/monitor_and_dump_changed_files.py at main Β· struppigel/hedgehog-tools Contribute to struppigel/hedgehog-tools development by creating an account on GitHub.

I added a python script to monitor a folder during dynamic analysis and dump changed files with timestamp

github.com/struppigel/h...

27.12.2025 09:08 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - RenPy game, finding malware code in 2956 files, Beginner friendly
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - RenPy game, finding malware code in 2956 files, Beginner friendly

πŸ¦” πŸ“ΉNew Video: RenPy game loads stealer, beginner friendly
➑️ strategies for finding malware in 2956 files
➑️ extracting and decompiling RenPy
➑️ remote access tool config extraction
➑️ unpacking native payload
#MalwareAnalysisForHedgehogs #RenPy
www.youtube.com/watch?v=Fmfg...

21.12.2025 13:02 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Browser Hijacking: Three Technique Studies If you are searching for technical information on how browser hijacking works, there does not seem to be much out there apart from generic removal instructions. This might be an educational gap we sho...

New blog: Browser Hijacking techniques -- when malware has different preferences than you

www.gdatasoftware.com/blog/2025/11...

#GDATA #GDATATechblog #BrowserHijacking

15.12.2025 06:52 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
hedgehog-tools/RenPy at main Β· struppigel/hedgehog-tools Contribute to struppigel/hedgehog-tools development by creating an account on GitHub.

I added a RenPy archive (.rpa, .rpi) extractor to my tools repo

github.com/struppigel/h...

13.12.2025 05:47 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Arkanix: New Infostealer grabs Browser Data, Wifi Logins, Cryptowallets G DATA researcher Banu Ramakrishnan has discovered a previously undocumented infostealer malware called Arkanix. Learn about the details in the G DATA blog!

My colleague Banu wrote about a new infostealer Arkanix
www.gdatasoftware.com/blog/2025/12...

01.12.2025 16:13 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I am not sure. Probably part of his trainings.

30.11.2025 11:02 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Defeating ConfuserEx Anti-Analysis with Hooking
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Defeating ConfuserEx Anti-Analysis with Hooking

πŸ¦”πŸ“Ή New Video: Modifying string decrypter for a ConfuserEx2 variant
➑️ Defeating antis with Harmony hooks
➑️ AsmResolver
➑️ .NET string deobfuscation
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=sARn...

30.11.2025 11:01 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Courses

Black Friday offers:
60% off for 2 malware analysis courses (beginner & intermediate)
Or 40% off for single course

malwareanalysis-for-hedgehogs.learnworlds.com/courses

28.11.2025 06:41 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
SP25: Anti Tamper
YouTube video by mr_phrazer SP25: Anti Tamper

Lecture on Anti Tamper by Tim Blazytko www.youtube.com/watch?v=hQi9...

22.11.2025 07:00 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Rhadamanthys Loader Deobfuscation | cyber.wtf

Rhadamanthys loader deobfuscation
cyber.wtf/2025/11/19/r...

19.11.2025 12:14 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

I am suggesting a new malware type: the browser remote access tool (BRAT)

It's a form of browser hijacker that remotely controls your browser based on server commands.

Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc

17.11.2025 11:43 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

For anyone who wants to understand certificates better and how to spot abuse,
this is a great read
certcentral.org/training

13.11.2025 15:12 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Trojanized NordVPN Setup, Beginner Sample
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Trojanized NordVPN Setup, Beginner Sample

πŸ¦” πŸ“Ή Video: Analysis of malicious NordVPN setup
➑️ beginner-suitable
➑️ sorry, no spoilers here ;)

www.youtube.com/watch?v=5-OY...

#MalwareAnalysisForHedgehogs

26.10.2025 06:02 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I am looking for good resources for Linux malware analysis, including books and courses.
If you have any recommendations please let me know.

15.10.2025 15:33 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Thank you @threatresearch.bsky.social

06.10.2025 13:04 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

My #VirusBulletin2025 loot 😍
I also met someone from vxunderground and all I got was this lousy sticker

30.09.2025 12:20 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Infected Steam game downloads malware disguised as patch A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information a...

Steam game BlockBlasters downloads malware
written by Arvin Tan

#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...

22.09.2025 09:04 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
AppSuite, OneStart & ManualFinder: The Nexus of Deception Having taken a look at AppSuite in one of our last articles, we have started pulling on a few loose threads to see where it would take us. It turns out that there are relationships with other maliciou...

My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder

www.gdatasoftware.com/blog/2025/09...

17.09.2025 02:30 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Tritt dem MalwareAnalysisForHedgehogs-Discord-Server bei! Sieh dir die MalwareAnalysisForHedgehogs-Community auf Discord an – hΓ€ng mit 152 anderen Mitgliedern ab und freu dich ΓΌber kostenlose Sprach- und Textchats.

Invite link for our Discord expired, because I did not change the default limit.
Here is a new one, this time without limit

discord.gg/8xB38EedHT

10.09.2025 14:31 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Malware Theory - What breakpoints to set for unpacking
YouTube video by MalwareAnalysisForHedgehogs Malware Theory - What breakpoints to set for unpacking

πŸ¦” πŸ“Ή New video: What breakpoints to set for unpacking malware?
➑️ Steps of unpacking stub
➑️ Breakpoint targets
➑️ VirtualAlloc from user to kernel mode

#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...

08.09.2025 07:12 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

@struppigel is following 20 prominent accounts