All blog posts

Unfortunately I end up going down intel rabbit holes more than writing about them. Please enjoy the rare fruits of my endeavours.

• Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators

  17 March 2026 | Tags: malware, npm, github, contagious trader

  Discovering and attributing a novel campaign to North Korea

• First instance of PylangGhost RAT observed on npm

  13 March 2026 | Tags: javascript, malware, npm, dprk

  A DPRK/FAMOUS CHOLLIMA-attributed malware historically not observed on npm

• Novel DPRK stager using Pastebin and text steganography

  26 February 2026 | Tags: javascript, malware, npm, dprk

  Seventeen npm packages released in 2 days use a mischievous stager mechanism

• Tracking DPRK operator IPs over time

  22 February 2026 | Tags: javascript, malware, npm, dprk

  FAMOUS CHOLLIMA's temporary email usage leaks IP addresses (opsec mistakes part 3)

• DPRK tests Google Drive as a malware stager

  21 February 2026 | Tags: javascript, malware, npm, dprk

  A small change in TTPs

• Exposed DPRK reference malware and logs

  16 February 2026 | Tags: javascript, malware, npm, dprk

  Artifacts left behind in npm packages (part 2)

• VMWare artifacts left by a FAMOUS CHOLLIMA operator

  13 February 2026 | Tags: javascript, malware, npm, dprk

  Operator procedures revealed (part 1)

• npm package bigmathix and the BigSquatRat campaign behind it

  19 January 2026 | Tags: javascript, malware, npm, github

  Static analysis of a unique JavaScript infection chain and an examination of the wider footprint of the malware campaign

• Passive Takeover - uncovering (and emulating) an expensive subdomain takeover campaign

  5 March 2023 | Tags: intel, shodan, iocs, T1584.001, subdomain takeover

  This post explores an often overlooked type of subdomain takeover attack I am dubbing "passive takeover."

• Fingerprinting C2s with Shodan

  6 January 2023 | Tags: intel, shodan, iocs

  A quick C2 fingerprinting exercise with Shodan

• Tracking Crimson Kingsnake

  6 January 2023 | Tags: virustotal, phishing, fraud, intel, iocs, crimson kingsnake

  Using VirusTotal to track Crimson Kingsnake

• Caddy: enabling valid internal SSL certificates with ACME DNS challenge

  6 August 2021 | Tags: caddy, letsencrypt, lab

  This is an older how-to I wrote on how I provisioned valid SSL certificates on my internal homelab using ACME DNS challenge