Karsten Hahn

My intermediate level malware analysis course is there. 60% off for the next two weeks. …nalysis-for-hedgehogs.learnworlds.com/course/interme…

@vxunderground Uh oh, I do the same.

tl;dr normie to big stinky nerd translator I'm going to share something embarrassing, but this is true. I have found a good usage of AI (for me, at least). I'm a big stinky nerd and I have a hard time understanding what people are saying to me. I am an extremely explicit communicator. I usually say exactly what I mean (for better or worse). I get very confused when people imply something, or lean heavily on emotional phrasing, to implicitly communicate. I have been unironically using AI to explain what people are saying to me. I'll detail the conversation to the best of my ability if it was communicated verbally, if it was online I copy-paste my message and the persons response (or comment). The silly AI slop robot then translates what the person says into explicit communication for me so I understand better. Basically, the dumb ass slop machine robot is better at understanding humans than me. Sometimes I have zero idea what someone is talking about or trying to convey. pic related: machine deciphering human language and explaining to my dumb nerd brain

Today I’m launching Threat Hunting Labs. Over the years I’ve analyzed many real-world intrusions. One thing became obvious: most training platforms don’t resemble how investigations actually happen. So I built something different. Threat Hunting Labs focuses on investigation-driven learning using real telemetry and structured investigative paths. If you want to get better at investigating breaches, you should practice investigating breaches. More details here: threathuntinglabs.com/blog/introduci…

@500mk500 @GDATA @anyrun_app Thanks for pointing that out 👀

Looks like "Spark stealer" (@GDATA ) == "Microstealer" (@anyrun_app )

@luke92881 Anti-VM check?

Any thoughts on this signed dll being dropped by foodformula? virustotal.com/gui/file/dfd12…

@RussianPanda9xx Wrinkles that were deepened from smiling a lot during your life are a very charismatic feature and interesting to look at. I have a deep "third eye" / brooding wrinkle between my eyebrows, not sure if I am happy about it, but it's accurate.

Those wrinkles are terrifying 💀 I can’t smile anymore 😂

I am genuinely impressed by mainstream media outlets ability to find absolute nobodies in cybersecurity. It's remarkable. I am often left speechless. There has been dozens occasions, especially as of recent, where some media outlet will be like, "Today as a special guest is world-renowned cybersecurity expert and ethical hacker Joe McCyberSecurity". I'm like, who the fuck is Joe McCybersecurity? I've been doing cybersecurity and malware stuff for a long time and I've never once seen or heard of Joe McCybersecurity. If he is world-renowned, I would THINK I would have seen them or heard of them. The camera then pans over to Joe McCybersecurity and it is the most generic cookie cutter white dude in a cheap suit and the tag below him will say something like, "Joe McCybersecurity, Ethical Hacker, CEO of Cybersecurity McJoe Industries" I'm like, "Cybersecurity McJoe Industries? What the fuck is that?". I look it up and it's a generic WordPress website hosted on GoDaddy with an expired SSL cert. Joe McCybersecurity then babbles incomprehensible nonsense for about 60 seconds until the TV host goes "woaw" and it cuts to a commercial. Absolute cinema.

@JAMESWT_WT @VirITeXplorer Thank you!

Mentioned #Spark #Stealer Samples 👇 bazaar.abuse.ch/browse/tag/Sug…

@chrissanders88 Talk to the HR person and ask them what they were doing?

Investigation Scenario 🔎 Browser history for an HR user shows repeated visits to chat.openai[.]com, followed by creation of C:\Users\chris\AppData\Local\Temp\cleanup[.]ps1. The file is not available, and the hash shows no matches in OSINT resources. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

#HadesStealer from hugovar(dot)com (3/65) virustotal.com/gui/file/b4e05…

@invokecoley @JAMESWT_WT @rifteyy @GDATA @thibautone Thank you, I will update the blog :)

@struppigel @JAMESWT_WT @rifteyy @GDATA The unknown obfuscator is Skidfuscator by @thibautone - the ascii art is the calling sign.

I wrote an article about SugarSMP Minecraft scams, Spark stealer and hacked accounts After a brief contact to the threat actor, we talked to two victims and followed the trail. Analysis in collaboration with @rifteyy #GDATATechblog @GDATA #GDATA blog.gdatasoftware.com/2026/03/38390-…

@huettenhain @greglesnewich 😍

A lot of convenience added to #BinaryRefinery in 0.10.2 overall, so this might be a good time to update. Hey @greglesnewich, remember when you wanted DMG archive support? Guess what ...

As a fan boy of binary refinery, this is awesome! MCP when? x.com/huettenhain/st…

🗞️ Hunting Malicious Mining Pools: Pivoting Through Crypto Mining Infrastructure This blog post aims to demonstrate how we can correlate a small cluster of IOCs to identify a malicious mining pool associated with the Tangerine Turkey operation. Check it out: theshadowslights.com/posts/threat-h… CC: @johnk3r @_eremit4 @moval0x1 @akaclandestine @MichalKoczwara @1ZRR4H @struppigel

@seongsu_kang Raw binaries, but I don't feed it a lot of samples at once. I use it only for single cases to figure out as much as possible about them.

Nice setup. I work on blockchain investigation tools and we recently plugged MCP into our analysis pipeline — AI traces fund flows and generates reports automatically. Curious about the Remnux + LLM combo. Are you feeding raw binary samples or pre-processed indicators? 16GB RAM feels tight for embedding models.

🦔 📹 Video: Building your own AI Malware Analysis Lab ➡️ old system, 16 GB RAM ➡️ using Remnux #MalwareAnalysisForHedgehogs #LLM youtube.com/watch?v=YOduz8…

@Gootloader Thanks!

@struppigel expel.com/blog/gootloade…

I don't quite understand why this is a CVE if standard unarchivers fail to unpack these ZIPs. If you corrupt or encrypt any file and need to deploy a custom loader to extract it you have same result. ¯\_(ツ)_/¯ x.com/BleepinCompute…

@Gootloader Oh, really? Do you have a link for me?

@struppigel But the zip manipulation Gootloader does to zips, that only extract a .JS on Windows but a .TXT fo everyone else, is a “feature” not a security flaw

@CyberRaiju @bohansec Yes, I agree and I also do this. VT is a very helpful tool to determine **potentially** undetected malware. I just don't like the AV bashing that often comes along with it. I created so many signatures that cannot show up on VT.

@struppigel @bohansec Yeah, I do think it's important to call out binaries when they're undetected on VT, e.g. also no Yara hits. Not so much to say AV isn't detecting it, but more so to get eyes on it from vendors as the engines on VT used and behaviours exhibited means it's flying under the radar.

I have said this quite a few times, but there is this misconception that the scanning engines on VT tell you whether the AV product detects the malware. They do not.

@malcat4ever Do we get a new CVE for those? 🤓

@struppigel Wait 'til they learn about password-protected zip files.