@hasherezade.bsky.social
Programmer, #malware analyst. Author of #PEbear, #PEsieve, #TinyTracer. Private account. All opinions expressed here are mine only (not of my employer etc) ; https://hasherezade.net
Reposted
Heeey, ncurses/terminfo has a small virtual machine! And if there's a VM, there are CTF challenges :)
hackarcana.com/public-exerc...
hackarcana.com/public-exerc...
(third one coming next week, will be a bit harder)
hackarcana.com/public-exerc...
hackarcana.com/public-exerc...
(third one coming next week, will be a bit harder)
November 1, 2025 at 4:15 PM
Heeey, ncurses/terminfo has a small virtual machine! And if there's a VM, there are CTF challenges :)
hackarcana.com/public-exerc...
hackarcana.com/public-exerc...
(third one coming next week, will be a bit harder)
hackarcana.com/public-exerc...
hackarcana.com/public-exerc...
(third one coming next week, will be a bit harder)
Reposted
The 13th annual @volatility #PluginContest is OPEN for submissions until 31 Dec 2025!
This contest is designed to encourage research & development in the field of #memoryanalysis. Every year, contributions from all around the world continue to help build the next generation of #memoryforensics.
This contest is designed to encourage research & development in the field of #memoryanalysis. Every year, contributions from all around the world continue to help build the next generation of #memoryforensics.
The 13th Annual Volatility Plugin Contest is Open!
We are excited to announce that the Volatility Plugin Contest is officially open for submissions! The annual Plugin Contest is your opportunity to: Directly contribute to the open source forensics …
volatilityfoundation.org
October 29, 2025 at 3:37 PM
The 13th annual @volatility #PluginContest is OPEN for submissions until 31 Dec 2025!
This contest is designed to encourage research & development in the field of #memoryanalysis. Every year, contributions from all around the world continue to help build the next generation of #memoryforensics.
This contest is designed to encourage research & development in the field of #memoryanalysis. Every year, contributions from all around the world continue to help build the next generation of #memoryforensics.
Reposted
-iOS 26 change deletes clues of old spyware infections
-Starlink disables 2.5k scam compound terminals
-Caribbean hospital still down 5 months after ransomware attack
-Poland charges officials in Pegasus scandal
Newsletter: news.risky.biz/risky-bullet...
Podcast: risky.biz/RBNEWS495/
-Starlink disables 2.5k scam compound terminals
-Caribbean hospital still down 5 months after ransomware attack
-Poland charges officials in Pegasus scandal
Newsletter: news.risky.biz/risky-bullet...
Podcast: risky.biz/RBNEWS495/
October 24, 2025 at 7:18 AM
-iOS 26 change deletes clues of old spyware infections
-Starlink disables 2.5k scam compound terminals
-Caribbean hospital still down 5 months after ransomware attack
-Poland charges officials in Pegasus scandal
Newsletter: news.risky.biz/risky-bullet...
Podcast: risky.biz/RBNEWS495/
-Starlink disables 2.5k scam compound terminals
-Caribbean hospital still down 5 months after ransomware attack
-Poland charges officials in Pegasus scandal
Newsletter: news.risky.biz/risky-bullet...
Podcast: risky.biz/RBNEWS495/
Reposted
Today I'm launching my new app, Hacktivate. It teaches real-world computer science skills through 240 "capture the flag" challenges, and works on iPhone, iPad, and Mac with one purchase. I've poured a ton of love into it, and I'd love to hear what you think 🙌 apps.apple.com/gb/app/hackt...
Hacktivate: Capture the Flag
Crack codes. Break firewalls. Conquer the map.
Hacktivate is the ultimate cybersecurity challenge: a world map of 240 missions where every puzzle is built on real cybersecurity techniques hackers us...
apps.apple.com
October 22, 2025 at 1:20 PM
Today I'm launching my new app, Hacktivate. It teaches real-world computer science skills through 240 "capture the flag" challenges, and works on iPhone, iPad, and Mac with one purchase. I've poured a ton of love into it, and I'd love to hear what you think 🙌 apps.apple.com/gb/app/hackt...
Reposted
I used PE-bear for the first time to dump an embedded binary. Its intuitive UI made extraction effortless. Because malware often embeds payloads with the form A in B to evade detection, pulling out the inner binary was crucial for deeper analysis and IoCs hunting.
October 19, 2025 at 8:45 AM
I used PE-bear for the first time to dump an embedded binary. Its intuitive UI made extraction effortless. Because malware often embeds payloads with the form A in B to evade detection, pulling out the inner binary was crucial for deeper analysis and IoCs hunting.
Finally done with #FlareOn12. What a ride! I am looking forward to read other people’s solutions, especially of those who did the 9th task quickly.
October 11, 2025 at 4:26 PM
Finally done with #FlareOn12. What a ride! I am looking forward to read other people’s solutions, especially of those who did the 9th task quickly.
Reposted
#FTSCon Speaker Spotlight: Aleksandra Doniec (@hasherezade.bsky.social) is presenting “Uncovering Malware's Secrets with TinyTracer” in the MAKER track.
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
September 18, 2025 at 6:10 PM
#FTSCon Speaker Spotlight: Aleksandra Doniec (@hasherezade.bsky.social) is presenting “Uncovering Malware's Secrets with TinyTracer” in the MAKER track.
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...
Reposted
My intermediate level malware analysis course is there.
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
Malware Analysis - Intermediate Level
Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more
malwareanalysis-for-hedgehogs.learnworlds.com
September 1, 2025 at 3:17 PM
My intermediate level malware analysis course is there.
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
Reposted
July 5, 2025 at 11:44 PM
New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!
June 6, 2025 at 7:11 PM
New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!
Reposted
1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
May 6, 2025 at 10:06 PM
1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
Reposted
Heard of #ContextJail?
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.
The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.
Src & binary in [ALT].
Usecases: ⤵️
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.
The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.
Src & binary in [ALT].
Usecases: ⤵️
May 6, 2025 at 10:06 PM
Heard of #ContextJail?
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.
The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.
Src & binary in [ALT].
Usecases: ⤵️
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.
The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.
Src & binary in [ALT].
Usecases: ⤵️
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...
research.checkpoint.com
April 14, 2025 at 6:17 PM
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Reposted
Zscaler has published a technical report on HijackLoader (IDAT Loader, GhostPulse) and its recent changes, such as its new call stack spoofing module, anti-VM module, and support for scheduled task persistence
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
New HijackLoader Evasion Tactics | ThreatLabz
Learn how HijackLoader has introduced call stack spoofing and new modules to improve its evasion and anti-analysis capabilities.
www.zscaler.com
April 1, 2025 at 10:31 AM
Zscaler has published a technical report on HijackLoader (IDAT Loader, GhostPulse) and its recent changes, such as its new call stack spoofing module, anti-VM module, and support for scheduled task persistence
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
Reposted
Abolish April Fool’s day. Society has moved past the need for April Fool’s day
April 1, 2025 at 2:36 AM
Abolish April Fool’s day. Society has moved past the need for April Fool’s day
Reposted
KELA has published a profile on Rey and Pryx, the two main individuals behind the Hellcat hacking group, responsible for several breaches over the past months, such as Schneider Electric, Telefónica, and Orange Romania.
www.kelacyber.com/blog/hellcat...
www.kelacyber.com/blog/hellcat...
Hellcat Hacking Group Unmasked: Investigating Rey and Pryx | KELA Cyber
KELA’s latest research uncovers key insights into two key threat actors of Hellcat Group, Pryx and Rey. Read more.
www.kelacyber.com
March 27, 2025 at 1:13 PM
KELA has published a profile on Rey and Pryx, the two main individuals behind the Hellcat hacking group, responsible for several breaches over the past months, such as Schneider Electric, Telefónica, and Orange Romania.
www.kelacyber.com/blog/hellcat...
www.kelacyber.com/blog/hellcat...
Reposted
We all knew this day would arrive when the DNA samples you willingly provided 23andMe would be up for sale. Company now says it's seeking a buyer as it files for bankruptcy. 23andMe says any buyer will have to adhere to privacy laws for customer DNA/data they acquire. people.com/23andme-file...
23andMe Files for Bankruptcy as CEO Anne Wojcicki Resigns — What Will Happen to Your DNA Data?
Genetics company 23andMe has filed for bankruptcy and its CEO is stepping down, leaving many users concerned about the future of their data.
people.com
March 24, 2025 at 4:58 PM
We all knew this day would arrive when the DNA samples you willingly provided 23andMe would be up for sale. Company now says it's seeking a buyer as it files for bankruptcy. 23andMe says any buyer will have to adhere to privacy laws for customer DNA/data they acquire. people.com/23andme-file...
Reposted
Reposted
Someone has done an excellent job collecting RATs and documenting them by version. They also included images.
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
GitHub - Cryakl/Ultimate-RAT-Collection: For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots.
For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots. - Cryakl/Ultimate-RAT-Collection
github.com
March 22, 2025 at 5:25 PM
Someone has done an excellent job collecting RATs and documenting them by version. They also included images.
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
A+ work. This is amazing (we're going to ingest this eventually)
github.com/Cryakl/Ultim...
A small demo/tutorial on unpacking executables with #PEsieve and #TinyTracer: hshrzd.wordpress.com/2025/03/22/u...
- automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims
- automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims
Tutorial: unpacking executables with TinyTracer + PE-sieve
In this short blog I would like to demonstrate you how to unpack an executable with PE-sieve and Tiny Tracer. As an example, let’s use the executable that was packed with a modified UPX: 8f66…
hshrzd.wordpress.com
March 22, 2025 at 8:53 PM
A small demo/tutorial on unpacking executables with #PEsieve and #TinyTracer: hshrzd.wordpress.com/2025/03/22/u...
- automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims
- automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims
Reposted
Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!
tmpout.sh/4/
tmpout.sh/4/
March 21, 2025 at 4:26 PM
Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!
tmpout.sh/4/
tmpout.sh/4/
Reposted
Did anyone find the secret art page? 👀
Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!
tmpout.sh/4/
tmpout.sh/4/
March 21, 2025 at 8:13 PM
Did anyone find the secret art page? 👀
Reposted
Next RE//verse video released! Andrew's Day 2 keynote was the next most requested video. It starts with an aside from neuroscience, ends with a challenge to all tool developers and has a fantastic journey between:
RE//verse 2025: What 20 Years of RE Practice and Tool Research Feels Like It’s Done (Andrew Ruef)
Andrew starts his keynote with a journey into neuroscience and ends with a challenge for all reverse engineering tooling authors.Original Abstract:From RE//v...
youtu.be
March 21, 2025 at 8:50 PM
Next RE//verse video released! Andrew's Day 2 keynote was the next most requested video. It starts with an aside from neuroscience, ends with a challenge to all tool developers and has a fantastic journey between:
Reposted
whoever made this one, it is perfect for IT work or life in general.
March 20, 2025 at 8:29 AM
whoever made this one, it is perfect for IT work or life in general.
Reposted
Prodaft has published a technical analysis of Anubis, a new Python-based backdoor linked to Savage Ladybug (FIN7) operations
catalyst.prodaft.com/public/repor...
catalyst.prodaft.com/public/repor...
March 16, 2025 at 10:39 AM
Prodaft has published a technical analysis of Anubis, a new Python-based backdoor linked to Savage Ladybug (FIN7) operations
catalyst.prodaft.com/public/repor...
catalyst.prodaft.com/public/repor...