~/posts
Analyzing a Cobalt Strike Payload: DLL Hijacking, Alcatraz Obfuscation, and Reflective Loading
This analysis covers a phishing attack that tricks users into executing malware by mimicking a legitimate PDF. We detail the DLL hijacking of a Logitech executable, deobfuscate the Control Flow Flattening in DJCU.dll, and extract the final Cobalt Strike beacon configuration.
ACS 2025: A Busan Victory with KMA.LightBlue
KMA.LightBlue won 1st place at ACS 2025 in Busan, securing the $20,000 grand prize. This post details our challenge solutions from Qualifier and Finals.
Devirtualizing Tigress Challenge 0 with Triton
We devirtualize Tigress Challenge 0 with Triton by combining concrete control flow and symbolic data execution to extract the original 64-bit computation.
Analyzing a Payload: EDR Hook Bypassing and API Recovery
This analysis covers the unpacking and analysis of a malware payload that uses file padding to hinder automated analysis, self-modifying code, and EDR hook bypassing via trampolines. We also detail the process of dumping the final shellcode and automating the recovery of its API references in IDA Pro.
How to Convert EXEs to DLLs: PE Internals and Practical Steps
EXEs and DLLs share the PE format. By setting the DLL flag, redirecting the entry point to a DllMain stub, and adding an export directory inside a code cave, an EXE can be converted into a working DLL.