On June 30, 2025, a file named deklaracja.chm (“declaration.chm”) was uploaded to VirusTotal from Poland. The file is a Microsoft Compiled HTML Help file, a proprietary online help format which ...

Back in January 2025, I reviewed a campaign delivering Havoc Demon to targets in Bangladesh, Pakistan, and China via LNK files. While hunting for new threats this month, I came across an malicious ...

While hunting for MSI installers that typically distribute Gh0stRAT and RATs that share some of the Gh0stRAT code, such as WinOS/ValleyRAT, I came across an infection chain leading to a slightly mo...

While monitoring new threats, I came across an interesting ISO image (ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5) uploaded to VirusTotal from Taiwan on May 20, 2025. The ISO c...

On April 22, 2025, MalwareHunterTeam shared a hash for a low detection Linux ELF with 2 hard-coded IP addresses: 43.159.18[.]135 and 119.42.148[.]187. Upon review of the executable (ea41b2bf1064efc...

On April 18, 2025, I came across an interesting LNK file uploaded from Taiwan (f4bb263eb03240c1d779a00e1e39d3374c93d909d358691ca5386387d06be472), which I subsequently found had been initially disco...

On March 20, 2025, MalwareHunterTeam shared a sample of a ZIP file containing an LNK, uploaded from Cambodia: The ZIP file is named CNP_MFA_Meeting_Documents.zip. It contains an LNK file named M...

On February 22, 2025, MalwareHunterTeam shared a DLL uploaded from Taiwan with hash 1286aa5c73cf2c8058c52271869a5727d71ca5bd4dd0854be970d2a25cb52bf8 The DLL was uploaded from Taiwan on February ...

On January 27, 2025, @smica83 shared a sample on X indicating that it looked like Lazarus malware. I reviewed the sample and concluded that, indeed, it is a North Korean backdoor, likely the latest...

On January 15, 2025, a file named DH-Report76.pdf.lnk was uploaded to VirusTotal. The LNK file was likely being delivered to victims from army-mil[.]zapto.org. Parsing the LNK file, we can see t...