Karsten Hahn
@struppigel
MalwareAnalysisForHedgehogs, Principal Malware Researcher at GDATA, he/him 🦔🌈🏳️⚧️
My beginner's course for malware analysis is finally ready. 🎉🦔🦔🧫🧑🔬 Get access for free for the next 5 days by using the link below: udemy.com/course/windows…
Hey all! As promised, here's the in-depth analysis @JershMagersh from @InvokeReversing and I did of the malware strain that's been spreading through NPM in the last few days following a successful phish. We present to you: Scavenger. c-b.io/2025-07-20+-+I…
Nikola Knežević created an overview of AsyncRAT forks and how they relate to each other. Great research. #AsyncRAT #QuasarRAT welivesecurity.com/en/eset-resear…
Modern obfuscation techniques - a great weekend read. Master's thesis (by Roman Oravec) investigates various common obfuscation techniques and freely available implementations, focusing on the LLVM Pass Framework's potential for program obfuscation. Additionally, several…
ConnectWise is tackling the certificate abuse reddit.com/r/ScreenConnec…
🦔 📹 Virut Part III: File infection analysis and bait file creation #MalwareAnalysisForHedgehogs #Virut youtube.com/watch?v=FcXPSp…
We're excited to announce a major new release of x64dbg! The main new feature is support for bitfields, enums and anonymous types, which allows all types in the Windows SDK to be represented and displayed 🔥
My appreciation for the word "done" has evolved significantly over the decades You can document an almost unlimited number of features in any particular sample, so you're better off writing to your audience Of course, this assumes that you know your audience Which you should
Tips for newcomers to malware blog articles: ➡️You don't need to document every malware function. Focus on key areas ➡️Your text must be factually correct and it is okay to skip those details you are unsure about ➡️When you are done, just stop writing
Blog: "Supper is served" Excellent analysis article of the backdoor Supper by @cyb3rjerry c-b.io/2025-06-29+-+S…
Reverse engineering Hanwha IoT security camera (WiseNet XNF-8010RW) brownfinesecurity.com/blog/hanwha-fi… #iot #infosec
The slides from our @reconmtl talk, "Breaking Mixed Boolean-Arithmetic Obfuscation in Real-World Applications" (CC @nicolodev), are now online! Slides: synthesis.to/presentations/… Plugin: github.com/mrphrazer/obfu…
While ConnectWise has moved their configuration from the certificate to separate files it is not improving much. Threat actors ship signed ConnectWise installers in ZIP archives, with malicious configuration. The only advantage is that users can check the config more easily
A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware @GDATA #GDATATechblog gdatasoftware.com/blog/2025/06/3…
binary refinery fans, @huettenhain is live with @jstrosch: youtube.com/watch?v=HuLONk…
Short update on the next MA course: Yes, I am still working on it. I finished the content, now adding exercises and correcting errors.
While investigating a compromised network, we found suspicious PowerShell code that ran on a domain controller. The script downloaded a file called chrome_installer.exe and installed it. We checked the file and found it was signed by Google, so it’s a genuine Chrome installer.…