Lightnews — Scholar-powered news

Karsten Hahn @struppigel.bsky.social · 9d

Thank you @threatresearch.bsky.social

Karsten Hahn @struppigel.bsky.social · 15d

My #VirusBulletin2025 loot 😍
I also met someone from vxunderground and all I got was this lousy sticker

1 2

Karsten Hahn @struppigel.bsky.social · 23d

Steam game BlockBlasters downloads malware
written by Arvin Tan

#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...

Infected Steam game downloads malware disguised as patch

A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information a...

www.gdatasoftware.com

Karsten Hahn @struppigel.bsky.social · 28d

My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder

www.gdatasoftware.com/blog/2025/09...

AppSuite, OneStart & ManualFinder: The Nexus of Deception

Having taken a look at AppSuite in one of our last articles, we have started pulling on a few loose threads to see where it would take us. It turns out that there are relationships with other maliciou...

www.gdatasoftware.com

1 1 2

Karsten Hahn @struppigel.bsky.social · Sep 10

Invite link for our Discord expired, because I did not change the default limit.
Here is a new one, this time without limit

discord.gg/8xB38EedHT

Tritt dem MalwareAnalysisForHedgehogs-Discord-Server bei!

Sieh dir die MalwareAnalysisForHedgehogs-Community auf Discord an – häng mit 152 anderen Mitgliedern ab und freu dich über kostenlose Sprach- und Textchats.

discord.gg

Karsten Hahn @struppigel.bsky.social · Sep 8

🦔 📹 New video: What breakpoints to set for unpacking malware?
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode

#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...

Malware Theory - What breakpoints to set for unpacking

YouTube video by MalwareAnalysisForHedgehogs

www.youtube.com

2 2

Karsten Hahn @struppigel.bsky.social · Sep 2

Thanks!

Karsten Hahn @struppigel.bsky.social · Sep 2

In light of the new course, I created a Discord server for MalwareAnalysisForHedghogs to discuss malware analysis related topics.

You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj

Tritt dem MalwareAnalysisForHedgehogs-Discord-Server bei!

Sieh dir die MalwareAnalysisForHedgehogs-Community auf Discord an – häng mit 3 anderen Mitgliedern ab und freu dich über kostenlose Sprach- und Textchats.

discord.gg

1 2

Karsten Hahn @struppigel.bsky.social · Sep 1

My intermediate level malware analysis course is there.
60% off for the next two weeks.

malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...

Malware Analysis - Intermediate Level

Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more

malwareanalysis-for-hedgehogs.learnworlds.com

1 6 9

Karsten Hahn @struppigel.bsky.social · Aug 31

This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.

Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.

squiblydoo.blog/2024/05/13/i...

Impostor Certificates

It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…

squiblydoo.blog

1 1 4

Karsten Hahn @struppigel.bsky.social · Aug 28

Our technical deep-dive about AppSuite PDF Editor backdoor is out 📝👇

www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite

Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis

Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor.

www.gdatasoftware.com

2 6

Karsten Hahn @struppigel.bsky.social · Aug 27

IDA, why are you doing this?

I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?

1 1 3

Karsten Hahn @struppigel.bsky.social · Aug 20

These PDF editors are functional but each contain a backdoor

➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...

URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai

#TamperedChef

3 8

Karsten Hahn @struppigel.bsky.social · Aug 16

driver reversing 101
eversinc33.com/posts/driver...

Driver Reversing 101

eversinc33.com

1 5

Karsten Hahn @struppigel.bsky.social · Aug 15

Comprehensive analysis of #HijackLoader
by Ryan Weil

www.trellix.com/blogs/resear...

www.trellix.com

3

Karsten Hahn @struppigel.bsky.social · Aug 14

Thank you

Karsten Hahn @struppigel.bsky.social · Aug 14

🔍New Blog: JustAskJacky -- AI brings back classical trojan horse malware

www.gdatasoftware.com/blog/2025/08...

#GDATA #GDATATechblog

JustAskJacky: AI brings back real trojan horse malware

Despite what some might make you believe, late Trojan Horses were a rare breed in the malware zoo. But thanks to AI and LLMs, they are back..

www.gdatasoftware.com

1 3

Karsten Hahn @struppigel.bsky.social · Aug 9

🦔 📹 New Video: There is more than Clean and Malicious

➡️ 7 file analysis verdicts and what they mean

#MalwareAnalysisForHedgehogs #Verdicts
www.youtube.com/watch?v=XwT2...

Analysis Verdicts: There is more than Clean and Malicious

YouTube video by MalwareAnalysisForHedgehogs

www.youtube.com

3 5

Karsten Hahn @struppigel.bsky.social · Aug 4

The course will not be hosted on Udemy. I am very unhappy with it.

The Beginners' course will also be moved to the new platform.

3

Karsten Hahn @struppigel.bsky.social · Aug 4

Good news, the intermediate malware analysis course is almost finished.

I have currently a test student working through the course to get rid of mistakes that I do not notice.

1 1 6

Karsten Hahn @struppigel.bsky.social · Jul 16

Nikola Knežević created an overview of AsyncRAT forks and how they relate to each other. Great research.

#AsyncRAT #QuasarRAT
www.welivesecurity.com/en/eset-rese...

5 6

Reposted by Karsten Hahn

Max 'Libra' Kersten @maxkersten.nl · Jul 1

Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n

A side by side comparison of the original output by Ghidra, and the LLM enriched output.

1 5 8

Karsten Hahn @struppigel.bsky.social · Jul 5

🦔 📹 Virut Part III: File infection analysis and bait file creation

#MalwareAnalysisForHedgehogs #Virut
www.youtube.com/watch?v=FcXP...

Malware Analysis - Virut's file infection, part 3

YouTube video by MalwareAnalysisForHedgehogs

www.youtube.com

1 3

Karsten Hahn @struppigel.bsky.social · Jun 30

Blog: "Supper is served"
Excellent analysis article of the backdoor Supper by @c-b.io

c-b.io/2025-06-29+-...

2025-06-29 - Supper is served - Humpty's RE Blog

Recommend song to listen to while reading: If you find something off with what I say, please let me know. I'll gladly amend my content and credit you for the fix. Some thanks in alphabetical order

c-b.io

2

Karsten Hahn @struppigel.bsky.social · Jun 29

Regarding the last point:

A conclusion makes sense if you have something to add that wasn't there before.

But if you just repeat what you wrote before, it is very boring. In those instances it is better to not add it at all. A blog is not a thesis.

2