analysis
Deep dives into malware, phishing campaigns, and attacker tradecraft.
Focused on how things behave at runtime and what defenders can actually detect.
Analyzing A Recent Agent Tesla Sample
Breaking down a January 2026 Agent Tesla sample that hides its payload until runtime. Covers credential harvesting across 15+ applications, Startup folder persistence, and FTP exfil to attacker infrastructure. Includes ready to use KQL queries for hunting.
1/31/2026
Windows Loader/Stager Crash Case
Dynamic analysis of a Windows executable that performed environment checks, re-executed under a new parent, and triggered a CRITICAL_PROCESS_DIED bugcheck without observed payload delivery.
1/27/2026
Songtrust Impersonation via SMS, Fake Work Portal, Telegram Pivot
Unsolicited SMS promised easy remote pay, linked to a Songtrust-branded login page that simply funnels victims to Telegram.
1/13/2026
Lumma Stealer HTA Loader Analysis
Static analysis of a Lumma Stealer HTA loader that self-reads, decodes embedded hex payload data, and executes it via eval.
1/12/2026
Office 365 Termination Phish, Google Forms Credential Grab, Evidence Preserved
Sketchy email asking me to give them my email + password to verify that my email was in fact still being used.
12/31/2025
LinkedIn 'Recruiter' Links, Dead Redirector, Evidence Preserved
A repeatable headers only workflow to sanity check suspicious short links from a LinkedIn DM, capture what you can, and preserve evidence even when the redirect chain is already dead.
12/21/2025
Casefile: 'System Shutdown' Phish — Safe Redirect Triage + IOC Extraction
A repeatable email-triage workflow: preserve evidence, review headers, extract/defang links, safely resolve redirects (headers-only), and document IOCs + defensive actions.
12/14/2025
Brutus HTB Sherlock — SSH Brute Force Investigation
Analyzing a successful SSH brute force attack against a Confluence server using Linux auth logs and wtmp data. A practical walkthrough of incident response techniques.
9/20/2025
OHsint (TryHackMe) — OSINT Lab
how i solved ohsint (tryhackme) — a small osint lab about turning one photo into real-world context using only public breadcrumbs; process first, pii redacted.
8/16/2025