https://blueteam.cool/Digital Forensics · Detection Engineering · Threat Hunting. A space for defenders, by defenders — write-ups, tooling, and tradecraft focused on catching what actually gets people popped. 2026-06-12T20:48:23+10:00 Luke Wilkinson https://blueteam.cool/ Jekyll © 2026 Luke Wilkinson /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png 2026-06-12T09:00:00+10:00 2026-06-12T09:00:00+10:00 https://blueteam.cool/posts/wordpress-webshell-gsocket/ Luke Wilkinson

A compromised WordPress site, eleven hundred lines of IIS logs, a two-stage binary-encoded webshell, and six attempts to deploy a gsocket reverse shell.

2026-06-11T09:00:00+10:00 2026-06-11T09:00:00+10:00 https://blueteam.cool/posts/pishbini90ai-clickfix/ Luke Wilkinson

A ClickFix loader that hides shellcode as 256 English words in .rdata, delivers via WebDAV-over-HTTPS, and executes via Windows fibers. IOCs and YARA inside.

2026-06-11T09:00:00+10:00 2026-06-11T09:00:00+10:00 https://blueteam.cool/posts/clickfix-captcha-code-lol/ Luke Wilkinson

Five-layer RC4+gzip ClickFix stager drops a Rust infostealer with browser extension force-install, LSA session enumeration, and AD recon via NetAPI.

2026-06-10T09:00:00+10:00 2026-06-10T09:00:00+10:00 https://blueteam.cool/posts/node-folderkey-loader/ Luke Wilkinson

A Node.js loader disguised as a dev tool: signed node.exe, extensionless script, folder-keyed string cipher, and an in-memory payload that never touches disk.

2026-06-06T09:00:00+10:00 2026-06-06T17:37:54+10:00 https://blueteam.cool/posts/systemhealth-pyarmor-bundle/ Luke Wilkinson

A fake SysMon.py in C:\Windows\SystemHealth runs a Pyarmor-locked Python bundle: an XMRig Monero miner, a credential and wallet stealer, and a fake-wallet phisher.