Karsten Hahn
@struppigel.bsky.social
For anyone who wants to understand certificates better and how to spot abuse,
this is a great read
certcentral.org/training
this is a great read
certcentral.org/training
November 13, 2025 at 3:12 PM
For anyone who wants to understand certificates better and how to spot abuse,
this is a great read
certcentral.org/training
this is a great read
certcentral.org/training
🦔 📹 Video: Analysis of malicious NordVPN setup
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
Malware Analysis - Trojanized NordVPN Setup, Beginner Sample
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
October 26, 2025 at 6:02 AM
🦔 📹 Video: Analysis of malicious NordVPN setup
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
I am looking for good resources for Linux malware analysis, including books and courses.
If you have any recommendations please let me know.
If you have any recommendations please let me know.
October 15, 2025 at 3:33 PM
I am looking for good resources for Linux malware analysis, including books and courses.
If you have any recommendations please let me know.
If you have any recommendations please let me know.
My #VirusBulletin2025 loot 😍
I also met someone from vxunderground and all I got was this lousy sticker
I also met someone from vxunderground and all I got was this lousy sticker
September 30, 2025 at 12:20 PM
My #VirusBulletin2025 loot 😍
I also met someone from vxunderground and all I got was this lousy sticker
I also met someone from vxunderground and all I got was this lousy sticker
Steam game BlockBlasters downloads malware
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
Infected Steam game downloads malware disguised as patch
A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information a...
www.gdatasoftware.com
September 22, 2025 at 9:04 AM
Steam game BlockBlasters downloads malware
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder
www.gdatasoftware.com/blog/2025/09...
www.gdatasoftware.com/blog/2025/09...
AppSuite, OneStart & ManualFinder: The Nexus of Deception
Having taken a look at AppSuite in one of our last articles, we have started pulling on a few loose threads to see where it would take us. It turns out that there are relationships with other maliciou...
www.gdatasoftware.com
September 17, 2025 at 2:30 AM
My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder
www.gdatasoftware.com/blog/2025/09...
www.gdatasoftware.com/blog/2025/09...
🦔 📹 New video: What breakpoints to set for unpacking malware?
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
Malware Theory - What breakpoints to set for unpacking
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
September 8, 2025 at 7:12 AM
🦔 📹 New video: What breakpoints to set for unpacking malware?
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
In light of the new course, I created a Discord server for MalwareAnalysisForHedghogs to discuss malware analysis related topics.
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
Tritt dem MalwareAnalysisForHedgehogs-Discord-Server bei!
Sieh dir die MalwareAnalysisForHedgehogs-Community auf Discord an – häng mit 3 anderen Mitgliedern ab und freu dich über kostenlose Sprach- und Textchats.
discord.gg
September 2, 2025 at 6:55 AM
In light of the new course, I created a Discord server for MalwareAnalysisForHedghogs to discuss malware analysis related topics.
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
My intermediate level malware analysis course is there.
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
Malware Analysis - Intermediate Level
Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more
malwareanalysis-for-hedgehogs.learnworlds.com
September 1, 2025 at 3:17 PM
My intermediate level malware analysis course is there.
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Impostor Certificates
It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…
squiblydoo.blog
August 31, 2025 at 7:48 PM
This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Our technical deep-dive about AppSuite PDF Editor backdoor is out 📝👇
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis
Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor.
www.gdatasoftware.com
August 28, 2025 at 5:08 PM
Our technical deep-dive about AppSuite PDF Editor backdoor is out 📝👇
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
IDA, why are you doing this?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
August 27, 2025 at 3:22 AM
IDA, why are you doing this?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
These PDF editors are functional but each contain a backdoor
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef
August 20, 2025 at 3:15 PM
These PDF editors are functional but each contain a backdoor
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef
driver reversing 101
eversinc33.com/posts/driver...
eversinc33.com/posts/driver...
Driver Reversing 101
eversinc33.com
August 16, 2025 at 6:24 AM
driver reversing 101
eversinc33.com/posts/driver...
eversinc33.com/posts/driver...
🔍New Blog: JustAskJacky -- AI brings back classical trojan horse malware
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog
JustAskJacky: AI brings back real trojan horse malware
Despite what some might make you believe, late Trojan Horses were a rare breed in the malware zoo. But thanks to AI and LLMs, they are back..
www.gdatasoftware.com
August 14, 2025 at 4:05 AM
🔍New Blog: JustAskJacky -- AI brings back classical trojan horse malware
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog
🦔 📹 New Video: There is more than Clean and Malicious
➡️ 7 file analysis verdicts and what they mean
#MalwareAnalysisForHedgehogs #Verdicts
www.youtube.com/watch?v=XwT2...
➡️ 7 file analysis verdicts and what they mean
#MalwareAnalysisForHedgehogs #Verdicts
www.youtube.com/watch?v=XwT2...
Analysis Verdicts: There is more than Clean and Malicious
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
August 9, 2025 at 4:20 AM
🦔 📹 New Video: There is more than Clean and Malicious
➡️ 7 file analysis verdicts and what they mean
#MalwareAnalysisForHedgehogs #Verdicts
www.youtube.com/watch?v=XwT2...
➡️ 7 file analysis verdicts and what they mean
#MalwareAnalysisForHedgehogs #Verdicts
www.youtube.com/watch?v=XwT2...
Good news, the intermediate malware analysis course is almost finished.
I have currently a test student working through the course to get rid of mistakes that I do not notice.
I have currently a test student working through the course to get rid of mistakes that I do not notice.
August 4, 2025 at 3:56 AM
Good news, the intermediate malware analysis course is almost finished.
I have currently a test student working through the course to get rid of mistakes that I do not notice.
I have currently a test student working through the course to get rid of mistakes that I do not notice.
Nikola Knežević created an overview of AsyncRAT forks and how they relate to each other. Great research.
#AsyncRAT #QuasarRAT
www.welivesecurity.com/en/eset-rese...
#AsyncRAT #QuasarRAT
www.welivesecurity.com/en/eset-rese...
July 16, 2025 at 5:25 AM
Nikola Knežević created an overview of AsyncRAT forks and how they relate to each other. Great research.
#AsyncRAT #QuasarRAT
www.welivesecurity.com/en/eset-rese...
#AsyncRAT #QuasarRAT
www.welivesecurity.com/en/eset-rese...
Reposted by Karsten Hahn
Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n
1/n
July 1, 2025 at 12:35 PM
Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n
1/n
🦔 📹 Virut Part III: File infection analysis and bait file creation
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=FcXP...
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=FcXP...
Malware Analysis - Virut's file infection, part 3
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
July 5, 2025 at 7:07 AM
🦔 📹 Virut Part III: File infection analysis and bait file creation
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=FcXP...
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=FcXP...
Blog: "Supper is served"
Excellent analysis article of the backdoor Supper by @c-b.io
c-b.io/2025-06-29+-...
Excellent analysis article of the backdoor Supper by @c-b.io
c-b.io/2025-06-29+-...
2025-06-29 - Supper is served - Humpty's RE Blog
Recommend song to listen to while reading: If you find something off with what I say, please let me know. I'll gladly amend my content and credit you for the fix. Some thanks in alphabetical order
c-b.io
June 30, 2025 at 8:17 AM
Blog: "Supper is served"
Excellent analysis article of the backdoor Supper by @c-b.io
c-b.io/2025-06-29+-...
Excellent analysis article of the backdoor Supper by @c-b.io
c-b.io/2025-06-29+-...
Tips for newcomers to malware blog articles:
➡️You don't need to document every malware function. Focus on key areas
➡️Your text must be factually correct and it is okay to skip those details you are unsure about
➡️When you are done, just stop writing
➡️You don't need to document every malware function. Focus on key areas
➡️Your text must be factually correct and it is okay to skip those details you are unsure about
➡️When you are done, just stop writing
June 29, 2025 at 6:35 AM
Tips for newcomers to malware blog articles:
➡️You don't need to document every malware function. Focus on key areas
➡️Your text must be factually correct and it is okay to skip those details you are unsure about
➡️When you are done, just stop writing
➡️You don't need to document every malware function. Focus on key areas
➡️Your text must be factually correct and it is okay to skip those details you are unsure about
➡️When you are done, just stop writing
A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware
#GDATATechblog
www.gdatasoftware.com/blog/2025/06...
#GDATATechblog
www.gdatasoftware.com/blog/2025/06...
Threat Actors abuse signed ConnectWise application as malware builder
Since March 2025, there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse th...
www.gdatasoftware.com
June 23, 2025 at 9:57 AM
A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware
#GDATATechblog
www.gdatasoftware.com/blog/2025/06...
#GDATATechblog
www.gdatasoftware.com/blog/2025/06...
Virut part II: process infection and NTDLL hooking 🦔📹
➡️x64dbg scripting
➡️conditional breakpoints
➡️more import table resolving
➡️fixing control flow
➡️marking up hook code
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=nuxn...
➡️x64dbg scripting
➡️conditional breakpoints
➡️more import table resolving
➡️fixing control flow
➡️marking up hook code
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=nuxn...
Malware Analysis - Virut's NTDLL Hooking and Process Infection, Part 2
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
May 30, 2025 at 1:27 PM
Virut part II: process infection and NTDLL hooking 🦔📹
➡️x64dbg scripting
➡️conditional breakpoints
➡️more import table resolving
➡️fixing control flow
➡️marking up hook code
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=nuxn...
➡️x64dbg scripting
➡️conditional breakpoints
➡️more import table resolving
➡️fixing control flow
➡️marking up hook code
#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=nuxn...