So this is a thing now. BlueTeamCoolTeam is a personal blog where I’ll be publishing hands-on write-ups of real malware samples and incidents — the kind that show up on a Monday morning when someb...

A compromised WordPress site, eleven hundred lines of IIS logs, a two-stage binary-encoded webshell, and six attempts to deploy a gsocket reverse shell.

A ClickFix loader that hides shellcode as 256 English words in .rdata, delivers via WebDAV-over-HTTPS, and executes via Windows fibers. IOCs and YARA inside.

Five-layer RC4+gzip ClickFix stager drops a Rust infostealer with browser extension force-install, LSA session enumeration, and AD recon via NetAPI.

A Node.js loader disguised as a dev tool: signed node.exe, extensionless script, folder-keyed string cipher, and an in-memory payload that never touches disk.

A fake SysMon.py in C:\Windows\SystemHealth runs a Pyarmor-locked Python bundle: an XMRig Monero miner, a credential and wallet stealer, and a fake-wallet phisher.

A brand-new scheduled task on a two-year-old host launches a fileless PowerShell HTTP-RAT that listens on localhost only and waits for an operator's tunnel.

A WMI-launched PowerShell loader with reflection AMSI/ETW bypass and a payload that only decrypts if its own AMSI bypass succeeded first.

A PowerShell stager drops the legitimate Node.js runtime, runs a JavaScript RAT under it, and resolves its C2 domain from a TON blockchain smart contract.

A ClickFix lure drops a 145 MB Electron flomo app. The RAT runs a signed OneDriveLauncher that sideloads a trojanized DLL to decrypt a PNG-wrapped payload.