kmsec.uk

kmsec.uk(mainly) a security bloghttps://kmsec.uk/enNorth Korea's abuse of Cloudflare Workers and Pageshttps://kmsec.uk/blog/dprk-pages-dev-abusehttps://kmsec.uk/blog/dprk-pages-dev-abuseA cluster of npm packages showcases some neat obfuscation and abuse of Cloudflare WorkersFri, 01 May 2026 00:00:00 GMTParsing Google Docs HTML and building a public corpus of 25,000+ docshttps://kmsec.uk/blog/parsing-google-docshttps://kmsec.uk/blog/parsing-google-docsExtracting document metadata from HTML to create dochunt.kmsec.ukFri, 24 Apr 2026 00:00:00 GMTContagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operatorshttps://kmsec.uk/blog/contagious-traderhttps://kmsec.uk/blog/contagious-traderDiscovering and attributing a novel campaign to North KoreaTue, 17 Mar 2026 00:00:00 GMTFirst instance of PylangGhost RAT observed on npmhttps://kmsec.uk/blog/pylangghost-npmhttps://kmsec.uk/blog/pylangghost-npmA DPRK/FAMOUS CHOLLIMA-attributed malware historically not observed on npmFri, 13 Mar 2026 00:00:00 GMTNovel DPRK stager using Pastebin and text steganographyhttps://kmsec.uk/blog/dprk-text-steganographyhttps://kmsec.uk/blog/dprk-text-steganographySeventeen npm packages released in 2 days use a mischievous stager mechanismThu, 26 Feb 2026 00:00:00 GMTTracking DPRK operator IPs over timehttps://kmsec.uk/blog/dprk-opsec-3https://kmsec.uk/blog/dprk-opsec-3FAMOUS CHOLLIMA's temporary email usage leaks IP addresses (opsec mistakes part 3)Sun, 22 Feb 2026 00:00:00 GMTDPRK tests Google Drive as a malware stagerhttps://kmsec.uk/blog/dprk-gdrive-stagerhttps://kmsec.uk/blog/dprk-gdrive-stagerA small change in TTPsSat, 21 Feb 2026 00:00:00 GMTExposed DPRK reference malware and logshttps://kmsec.uk/blog/dprk-opsec-2https://kmsec.uk/blog/dprk-opsec-2Artifacts left behind in npm packages (part 2)Mon, 16 Feb 2026 00:00:00 GMTVMWare artifacts left by a FAMOUS CHOLLIMA operatorhttps://kmsec.uk/blog/dprk-opsec-1https://kmsec.uk/blog/dprk-opsec-1Operator procedures revealed (part 1)Fri, 13 Feb 2026 00:00:00 GMTnpm package bigmathix and the BigSquatRat campaign behind ithttps://kmsec.uk/blog/js-malware-bigmathixhttps://kmsec.uk/blog/js-malware-bigmathixStatic analysis of a unique JavaScript infection chain and an examination of the wider footprint of the malware campaignMon, 19 Jan 2026 00:00:00 GMTPassive Takeover - uncovering (and emulating) an expensive subdomain takeover campaignhttps://kmsec.uk/blog/passive-takeoverhttps://kmsec.uk/blog/passive-takeoverThis post explores an often overlooked type of subdomain takeover attack I am dubbing "passive takeover."Sun, 05 Mar 2023 00:00:00 GMTFingerprinting C2s with Shodanhttps://kmsec.uk/blog/fingerprinting-pupyrathttps://kmsec.uk/blog/fingerprinting-pupyratA quick C2 fingerprinting exercise with ShodanFri, 06 Jan 2023 00:00:00 GMTTracking Crimson Kingsnakehttps://kmsec.uk/blog/tracking-crimson-kingsnakehttps://kmsec.uk/blog/tracking-crimson-kingsnakeUsing VirusTotal to track Crimson KingsnakeFri, 06 Jan 2023 00:00:00 GMTCaddy: enabling valid internal SSL certificates with ACME DNS challengehttps://kmsec.uk/blog/caddy-dns-challenge-certshttps://kmsec.uk/blog/caddy-dns-challenge-certsThis is an older how-to I wrote on how I provisioned valid SSL certificates on my internal homelab using ACME DNS challengeFri, 06 Aug 2021 00:00:00 GMT