labs
experiments, notes, research.
hands-on writeups from ctfs, tooling trials, and small investigations — focused on what’s reproducible.
Songtrust Impersonation via SMS, Fake Work Portal, Telegram Pivot
Unsolicited SMS promised easy remote pay, linked to a Songtrust-branded login page that simply funnels victims to Telegram.
1/13/2026
Lumma Stealer HTA Loader Analysis
Static analysis of a Lumma Stealer HTA loader that self-reads, decodes embedded hex payload data, and executes it via eval.
1/12/2026
Office 365 Termination Phish, Google Forms Credential Grab, Evidence Preserved
Sketchy email asking me to give them my email + password to verify that my email was in fact still being used.
12/31/2025
LinkedIn 'Recruiter' Links, Dead Redirector, Evidence Preserved
A repeatable headers only workflow to sanity check suspicious short links from a LinkedIn DM, capture what you can, and preserve evidence even when the redirect chain is already dead.
12/21/2025
Casefile: 'System Shutdown' Phish — Safe Redirect Triage + IOC Extraction
A repeatable email-triage workflow: preserve evidence, review headers, extract/defang links, safely resolve redirects (headers-only), and document IOCs + defensive actions.
12/14/2025
Brutus HTB Sherlock — SSH Brute Force Investigation
Analyzing a successful SSH brute force attack against a Confluence server using Linux auth logs and wtmp data. A practical walkthrough of incident response techniques.
9/20/2025
OHsint (TryHackMe) — OSINT Lab
how i solved ohsint (tryhackme) — a small osint lab about turning one photo into real-world context using only public breadcrumbs; process first, pii redacted.
8/16/2025