defense-evasion 8
- Telegram Handles, Binary-Encoded PHP, and a Relay Shell: Inside a WordPress Webshell Compromise
- They built a dictionary to hide their shellcode: the pishbini90ai ClickFix loader
- Fake captcha, five layers of RC4, and a Rust stealer with LSA session enumeration and AD recon
- The Node.js loader that locks its own strings to the folder it lives in
- The "SharePoint Helper" That Was Really a Localhost Backdoor
- Bring Your Own Node: a PowerShell stager, a blockchain dead-drop, and a RAT that runs on the real Node.js
- Seven layers of obfuscation, one 1970s LOLBIN: pulling apart a ClickFix chain through finger.exe
- A driver that wasn't a driver: dissecting a steganographic PowerShell beacon