Mastodawn

I wrote an article about SugarSMP Minecraft scams, Spark stealer, extortion and hacked accounts.

After a brief contact to the threat actor, we talked to two victims and followed the trail.

Analysis in collaboration with @rifteyy
#GDATATechblog #GDATA
https://blog.gdatasoftware.com/2026/03/38390-minecraft-mod-sugarsmp-malware

Minecraft: SugarSMP's Dark Tale of Scams, Malware & Extortion

Some Minecraft players were looking for safe haven away from griefers, but found an elaborate web of malware, deception and extortion.

Karsten Hahn Dec 15

New blog: Browser Hijacking techniques -- when malware has different preferences than you

https://www.gdatasoftware.com/blog/2025/11/38298-learning-about-browser-hijacking

#GDATA #GDATATechblog #BrowserHijacking

Browser Hijacking: Three Technique Studies

If you are searching for technical information on how browser hijacking works, there does not seem to be much out there apart from generic removal instructions. This might be an educational gap we should try and close.

Karsten Hahn Sep 22, 2025

Steam game BlockBlasters downloads malware
written by Arvin Tan

#GDATATechblog @GDATA #GDATA
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware

Infected Steam game downloads malware disguised as patch

A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected.

Karsten Hahn Aug 28, 2025

Our technical deep-dive about AppSuite PDF Editor backdoor is out 📝👇

https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis
#GDATA #GDATATechblog #AppSuite

Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis

Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor.

Karsten Hahn Aug 14, 2025

🔍New Blog: JustAskJacky -- AI brings back classical trojan horse malware

https://www.gdatasoftware.com/blog/2025/08/38247-justaskjacky-ai-trojan-horse-comeback

#GDATA #GDATATechblog

JustAskJacky: AI brings back real trojan horse malware

Despite what some might make you believe, late Trojan Horses were a rare breed in the malware zoo. But thanks to AI and LLMs, they are back..

Karsten Hahn Jun 23, 2025

A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware
#GDATATechblog
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware

Threat Actors abuse signed ConnectWise application as malware builder

Since March 2025, there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them.

Karsten Hahn Apr 8, 2025

I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.

E.g. IL code patterns, method signature definitions, GUIDs, compressed length

#GDATATechblog #100DaysOfYara
https://www.gdatasoftware.com/blog/2025/04/38145-yara-signatures-net-malware

100 Days of YARA: How to write .NET code signatures

If you write YARA signatures for .NET assemblies only relying on strings, you are seriously missing out. Learn what you can do to level up your YARA rules.

Marius Benthin Sep 26, 2024

Karsten Hahn and I took a closer look at the latest #BBTok .NET loaders. In my first article on the #GDATATechblog we describe how to deobfuscate Trammy.dll and share new details about the BBTok infection chain.

https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader

@struppigel #GDATA

BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell

A complex infection chain and a targeted approach make BBTok a very challenging piece of malware to examine. Analysts Marius Benthin and Karsten Hahn were able to examine a critical part of the infection chain and describe its inner workings in this latest article.