Hi there, I'm OJ. Welcome.
Phishing ops, malware delivery, and detections defenders can use.
I analyze real-world incidents, map delivery paths, and turn the findings into practical workflows, queries, and tools for defenders.
Phishing PDFs in the Wild - Patterns Across Three Campaigns
Three low-complexity PDF phishing samples with different lure styles but the same objective: drive urgent clicks into credential or payload delivery paths.
LinaStealer Unity NSIS Electron Loader: Multi-Stage Infostealer Campaign Analysis
Multi-stage loader analysis abusing Unity + NSIS + Electron to deliver a Brotli-compressed infostealer payload.
Analyzing A Recent Agent Tesla Sample
Breaking down a January 2026 Agent Tesla sample that hides its payload until runtime. Covers credential harvesting across 15+ applications, Startup folder persistence, and FTP exfil to attacker infrastructure. Includes ready to use KQL queries for hunting.
Detection Library
threat-detections
Reusable KQL and scoping queries built from real investigations — designed for fast pivoting during incident response and phishing triage.
View on GitHub →PRVIEW
Browser-based phishing email analysis: import .eml or raw source, parse headers/body, extract URLs, and export a clean summary.
newsletter
Substack
Subscribe to get new research and writeups in your inbox when they drop.
Read on Substack →Also: Field Notes — short technical write-ups and working notes.
Say hi:me@heyosj.com·LinkedIn·X·GitHub