Disclaimer: All research and opinions expressed here are my own and are independent of any employer or organisation.
23 articles on cybersecurity research, malware analysis, and threat hunting
Analysis of a device code phishing operation built on the open-source GraphSpy tool, extended with a custom phish page generator and Cloudflare tunnel infrastructure, found via an exposed open directory and unauthenticated operator panel.
A deep dive into Device Code Lab, a professional grade, device code phishing platform, with numerous defense evasion and post-exploitation features.
Uncovering an undocumented Microsoft 365 account takeover panel using Evilginx API integration for easy token reuse and account compromise.
A deep dive into a newly discovered C2 framework, Nexus C2 — its features, operational flaws, and the implications of AI-generated malware in the wild.
A look at hunting C2 frameworks in the wild, including identifying a previously unknown C2 framework.
A follow-up investigation mapping 1,337 phishing URLs across 326 workers.dev hostnames, confirming a PhaaS multi-tenant architecture, encrypted client-side payloads, and new lure variants targeting Adobe, DocuSign, and Outlook branding.
Uncovering a phishing campaign abusing Microsoft Device Code Authentication and Cloudflare Worker Pages, with detection hunts for Entra and Microsoft 365.
A look into automating the hunt for malicious NPM packages, using AI for package review.
A look at a new phishing campaign, ConsentFix which utilises click-fix style techniques to steal auth tokens.
A walkthrough of different Token Theft Scenarios with Detections
Detecting abuse of VSCode Remote Tunnels for C2 and persistence by threat actors
How threat actors abuse Microsoft Dev Tunnels for C2 communication and detection strategies
Investigating suspicious svchost.exe behavior and Internet Connection Sharing during malware triage
Analysis of phishing kits that detect and evade virtual machine environments
A practical guide to implementing threat hunting in a SOC environment and moving beyond reactive detection
Using Malleable C2 profiles and C2 Concealer to bypass network-based detection of Cobalt Strike beacons
Complete guide to installing and configuring Elastic SIEM with EDR capabilities
Using Volatility 3 for memory forensics to analyze malware-infected systems
Step-by-step analysis of a multi-stage fileless malware campaign delivering Cobalt Strike beacon
Configure Filebeat to ship Zeek network logs to ELK Stack for home network monitoring
Build a home network monitoring lab using Zeek IDS and ELK Stack for traffic analysis
Understanding and exploiting Local File Inclusion vulnerabilities through practical pentesting
Analyzing malicious Office documents using OLE Tools and CyberChef for static analysis