Karsten Hahn
@struppigel.bsky.social
Samplepedia update: Users can submit their own images with the samples and there is a platform field.
samplepedia.cc
samplepedia.cc
January 8, 2026 at 4:32 AM
Samplepedia update: Users can submit their own images with the samples and there is a platform field.
samplepedia.cc
samplepedia.cc
I have created a website, where you can share your sample analysis (via links or posts) and search samples for training based on tags and difficulty.
If you write analysis blogs, you can share them there.
samplepedia.cc
If you write analysis blogs, you can share them there.
samplepedia.cc
January 4, 2026 at 5:53 AM
I have created a website, where you can share your sample analysis (via links or posts) and search samples for training based on tags and difficulty.
If you write analysis blogs, you can share them there.
samplepedia.cc
If you write analysis blogs, you can share them there.
samplepedia.cc
I added a python script to monitor a folder during dynamic analysis and dump changed files with timestamp
github.com/struppigel/h...
github.com/struppigel/h...
hedgehog-tools/Python helper scripts/monitor_and_dump_changed_files.py at main · struppigel/hedgehog-tools
Contribute to struppigel/hedgehog-tools development by creating an account on GitHub.
github.com
December 27, 2025 at 9:08 AM
I added a python script to monitor a folder during dynamic analysis and dump changed files with timestamp
github.com/struppigel/h...
github.com/struppigel/h...
🦔 📹New Video: RenPy game loads stealer, beginner friendly
➡️ strategies for finding malware in 2956 files
➡️ extracting and decompiling RenPy
➡️ remote access tool config extraction
➡️ unpacking native payload
#MalwareAnalysisForHedgehogs #RenPy
www.youtube.com/watch?v=Fmfg...
➡️ strategies for finding malware in 2956 files
➡️ extracting and decompiling RenPy
➡️ remote access tool config extraction
➡️ unpacking native payload
#MalwareAnalysisForHedgehogs #RenPy
www.youtube.com/watch?v=Fmfg...
Malware Analysis - RenPy game, finding malware code in 2956 files, Beginner friendly
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
December 21, 2025 at 1:02 PM
🦔 📹New Video: RenPy game loads stealer, beginner friendly
➡️ strategies for finding malware in 2956 files
➡️ extracting and decompiling RenPy
➡️ remote access tool config extraction
➡️ unpacking native payload
#MalwareAnalysisForHedgehogs #RenPy
www.youtube.com/watch?v=Fmfg...
➡️ strategies for finding malware in 2956 files
➡️ extracting and decompiling RenPy
➡️ remote access tool config extraction
➡️ unpacking native payload
#MalwareAnalysisForHedgehogs #RenPy
www.youtube.com/watch?v=Fmfg...
New blog: Browser Hijacking techniques -- when malware has different preferences than you
www.gdatasoftware.com/blog/2025/11...
#GDATA #GDATATechblog #BrowserHijacking
www.gdatasoftware.com/blog/2025/11...
#GDATA #GDATATechblog #BrowserHijacking
Browser Hijacking: Three Technique Studies
If you are searching for technical information on how browser hijacking works, there does not seem to be much out there apart from generic removal instructions. This might be an educational gap we sho...
www.gdatasoftware.com
December 15, 2025 at 6:52 AM
New blog: Browser Hijacking techniques -- when malware has different preferences than you
www.gdatasoftware.com/blog/2025/11...
#GDATA #GDATATechblog #BrowserHijacking
www.gdatasoftware.com/blog/2025/11...
#GDATA #GDATATechblog #BrowserHijacking
My colleague Banu wrote about a new infostealer Arkanix
www.gdatasoftware.com/blog/2025/12...
www.gdatasoftware.com/blog/2025/12...
Arkanix: New Infostealer grabs Browser Data, Wifi Logins, Cryptowallets
G DATA researcher Banu Ramakrishnan has discovered a previously undocumented infostealer malware called Arkanix. Learn about the details in the G DATA blog!
www.gdatasoftware.com
December 1, 2025 at 4:13 PM
My colleague Banu wrote about a new infostealer Arkanix
www.gdatasoftware.com/blog/2025/12...
www.gdatasoftware.com/blog/2025/12...
🦔📹 New Video: Modifying string decrypter for a ConfuserEx2 variant
➡️ Defeating antis with Harmony hooks
➡️ AsmResolver
➡️ .NET string deobfuscation
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=sARn...
➡️ Defeating antis with Harmony hooks
➡️ AsmResolver
➡️ .NET string deobfuscation
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=sARn...
Malware Analysis - Defeating ConfuserEx Anti-Analysis with Hooking
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
November 30, 2025 at 11:01 AM
🦔📹 New Video: Modifying string decrypter for a ConfuserEx2 variant
➡️ Defeating antis with Harmony hooks
➡️ AsmResolver
➡️ .NET string deobfuscation
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=sARn...
➡️ Defeating antis with Harmony hooks
➡️ AsmResolver
➡️ .NET string deobfuscation
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=sARn...
Black Friday offers:
60% off for 2 malware analysis courses (beginner & intermediate)
Or 40% off for single course
malwareanalysis-for-hedgehogs.learnworlds.com/courses
60% off for 2 malware analysis courses (beginner & intermediate)
Or 40% off for single course
malwareanalysis-for-hedgehogs.learnworlds.com/courses
Courses
malwareanalysis-for-hedgehogs.learnworlds.com
November 28, 2025 at 6:41 AM
Black Friday offers:
60% off for 2 malware analysis courses (beginner & intermediate)
Or 40% off for single course
malwareanalysis-for-hedgehogs.learnworlds.com/courses
60% off for 2 malware analysis courses (beginner & intermediate)
Or 40% off for single course
malwareanalysis-for-hedgehogs.learnworlds.com/courses
Lecture on Anti Tamper by Tim Blazytko www.youtube.com/watch?v=hQi9...
SP25: Anti Tamper
YouTube video by mr_phrazer
www.youtube.com
November 22, 2025 at 7:00 AM
Lecture on Anti Tamper by Tim Blazytko www.youtube.com/watch?v=hQi9...
Rhadamanthys loader deobfuscation
cyber.wtf/2025/11/19/r...
cyber.wtf/2025/11/19/r...
Rhadamanthys Loader Deobfuscation | cyber.wtf
cyber.wtf
November 19, 2025 at 12:14 PM
Rhadamanthys loader deobfuscation
cyber.wtf/2025/11/19/r...
cyber.wtf/2025/11/19/r...
I am suggesting a new malware type: the browser remote access tool (BRAT)
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
November 17, 2025 at 11:43 AM
I am suggesting a new malware type: the browser remote access tool (BRAT)
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
It's a form of browser hijacker that remotely controls your browser based on server commands.
Typical form: press key combos for copy-pasting URLs, opening tabs, context menu, downloading files etc
For anyone who wants to understand certificates better and how to spot abuse,
this is a great read
certcentral.org/training
this is a great read
certcentral.org/training
November 13, 2025 at 3:12 PM
For anyone who wants to understand certificates better and how to spot abuse,
this is a great read
certcentral.org/training
this is a great read
certcentral.org/training
🦔 📹 Video: Analysis of malicious NordVPN setup
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
Malware Analysis - Trojanized NordVPN Setup, Beginner Sample
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
October 26, 2025 at 6:02 AM
🦔 📹 Video: Analysis of malicious NordVPN setup
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
➡️ beginner-suitable
➡️ sorry, no spoilers here ;)
www.youtube.com/watch?v=5-OY...
#MalwareAnalysisForHedgehogs
I am looking for good resources for Linux malware analysis, including books and courses.
If you have any recommendations please let me know.
If you have any recommendations please let me know.
October 15, 2025 at 3:33 PM
I am looking for good resources for Linux malware analysis, including books and courses.
If you have any recommendations please let me know.
If you have any recommendations please let me know.
My #VirusBulletin2025 loot 😍
I also met someone from vxunderground and all I got was this lousy sticker
I also met someone from vxunderground and all I got was this lousy sticker
September 30, 2025 at 12:20 PM
My #VirusBulletin2025 loot 😍
I also met someone from vxunderground and all I got was this lousy sticker
I also met someone from vxunderground and all I got was this lousy sticker
Steam game BlockBlasters downloads malware
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
Infected Steam game downloads malware disguised as patch
A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information a...
www.gdatasoftware.com
September 22, 2025 at 9:04 AM
Steam game BlockBlasters downloads malware
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
written by Arvin Tan
#GDATATechblog @GDATA #GDATA
www.gdatasoftware.com/blog/2025/09...
My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder
www.gdatasoftware.com/blog/2025/09...
www.gdatasoftware.com/blog/2025/09...
AppSuite, OneStart & ManualFinder: The Nexus of Deception
Having taken a look at AppSuite in one of our last articles, we have started pulling on a few loose threads to see where it would take us. It turns out that there are relationships with other maliciou...
www.gdatasoftware.com
September 17, 2025 at 2:30 AM
My colleague Banu wrote about the connection between AppSuite, OneStart and ManualFinder
www.gdatasoftware.com/blog/2025/09...
www.gdatasoftware.com/blog/2025/09...
🦔 📹 New video: What breakpoints to set for unpacking malware?
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
Malware Theory - What breakpoints to set for unpacking
YouTube video by MalwareAnalysisForHedgehogs
www.youtube.com
September 8, 2025 at 7:12 AM
🦔 📹 New video: What breakpoints to set for unpacking malware?
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
➡️ Steps of unpacking stub
➡️ Breakpoint targets
➡️ VirtualAlloc from user to kernel mode
#MalwareAnalysisForHedgehogs #Unpacking
www.youtube.com/watch?v=fn8r...
In light of the new course, I created a Discord server for MalwareAnalysisForHedghogs to discuss malware analysis related topics.
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
Tritt dem MalwareAnalysisForHedgehogs-Discord-Server bei!
Sieh dir die MalwareAnalysisForHedgehogs-Community auf Discord an – häng mit 3 anderen Mitgliedern ab und freu dich über kostenlose Sprach- und Textchats.
discord.gg
September 2, 2025 at 6:55 AM
In light of the new course, I created a Discord server for MalwareAnalysisForHedghogs to discuss malware analysis related topics.
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
You can join here--this is for every malware enthusiast, not only course members: discord.gg/3evhC4cj
My intermediate level malware analysis course is there.
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
Malware Analysis - Intermediate Level
Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more
malwareanalysis-for-hedgehogs.learnworlds.com
September 1, 2025 at 3:17 PM
My intermediate level malware analysis course is there.
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
60% off for the next two weeks.
malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...
This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Impostor Certificates
It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…
squiblydoo.blog
August 31, 2025 at 7:48 PM
This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now.
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware.
And why revokation is important.
squiblydoo.blog/2024/05/13/i...
Our technical deep-dive about AppSuite PDF Editor backdoor is out 📝👇
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis
Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor.
www.gdatasoftware.com
August 28, 2025 at 5:08 PM
Our technical deep-dive about AppSuite PDF Editor backdoor is out 📝👇
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
www.gdatasoftware.com/blog/2025/08...
#GDATA #GDATATechblog #AppSuite
IDA, why are you doing this?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
August 27, 2025 at 3:22 AM
IDA, why are you doing this?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
I lost my work because IDA refused to save. I needed to reboot the system to get network connection again. Without network there is no licensing server available.
Surely there must be a better way to not loose work?
These PDF editors are functional but each contain a backdoor
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef
August 20, 2025 at 3:15 PM
These PDF editors are functional but each contain a backdoor
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef
➡️https://virustotal.com/gui/file/fde67ba523b2c1e517d679ad4eaf87925c6bbf2f171b9212462dc9a855faa34b
bazaar.abuse.ch/sample/17355...
URLs
pdfreplace(dot)com
pdfmeta(dot)com
pdfartisan(dot)com
appsuites(dot)ai
#TamperedChef