Karsten Hahn

@struppigel@infosec.exchange
450 Followers
52 Following
64 Posts
Malware Analyst at G DATA. Ransomware hunter. he/him 🦔🌈🏳️‍⚧️
Karsten Hahn19h ago
A colleague and me wrote an article about EvilConwi -- signed ConnectWise remote access software being abused as malware
#GDATATechblog
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
Threat Actors abuse signed ConnectWise application as malware builder

Since March 2025, there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them.

Karsten HahnMay 30

Virut part II: process infection and NTDLL hooking 🦔📹
➡️x64dbg scripting
➡️conditional breakpoints
➡️more import table resolving
➡️fixing control flow
➡️marking up hook code

#MalwareAnalysisForHedgehogs #Virut
https://www.youtube.com/watch?v=nuxnvjGgUQQ&lc=

Malware Analysis - Virut's NTDLL Hooking and Process Infection, Part 2

YouTube
Karsten HahnMay 16

Blog: Printer company provided infected printer software for half a year.

➡️ XRed backdoor
➡️ SnipVex virus

Initially reported by Youtuber of "Serial Hobbyism"

https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads

Procolored: Printer company serves malware für six months, claims "false positive" warnings

What do a coin stealer, an abandoned backdoor and a file infector have in common? They all resided in the download section on the website of a printer company - stowed away in installer files for drivers and utilities. We took a closer look.

Karsten HahnApr 30
🦔 📹New Video: Analysis of Virut - Part I
➡️ self-modifying code
➡️ Ghidra markup decryption stub
➡️ API resolving
➡️ unpacking
#MalwareAnalysisForHedgehogs
https://www.youtube.com/watch?v=250Bxe0qlQY
Malware Analysis - Virut, a polymorphic file infector

YouTube
Karsten HahnApr 8

I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.

E.g. IL code patterns, method signature definitions, GUIDs, compressed length

#GDATATechblog #100DaysOfYara
https://www.gdatasoftware.com/blog/2025/04/38145-yara-signatures-net-malware

100 Days of YARA: How to write .NET code signatures

If you write YARA signatures for .NET assemblies only relying on strings, you are seriously missing out. Learn what you can do to level up your YARA rules.

Karsten HahnApr 2

Podcast with @jstrosch and @psifertex about:
binary ninja, CTFs, AI, the future of cyber security

https://open.spotify.com/episode/6tMYu7g7P9LuMoehALiCsL

EP07 Jordan Wiens - Inside the Mind of a Binary Ninja: CTFs, AI and the Future of Cyber Security

Behind the Binary by Google Cloud Security · Episode

Spotify
Karsten HahnJun 9, 2024

New video: Why antivirus software detects cracks as malware or PUP 🦔📹

#MalwareAnalysisForHedgehogs #cracks #antivirus
https://www.youtube.com/watch?v=KA7R9rt5r40

The real reason antivirus software detects cracks

YouTube
Karsten HahnMay 20, 2024

🦔 📹 New Video: D3fack loader analysis

➡️ Inno Setup pascal script analysis
➡️ string deobfuscation with binary refinery
➡️ JPHP decompilation

Sample was first described by @RussianPanda9xx

https://www.youtube.com/watch?v=y09ZreJaWE0
#MalwareAnalysisForHedgehogs #D3fackLoader

Malware Analysis - D3f@ck loader from Inno Setup to JPHP

YouTube
Karsten HahnMay 4, 2024

New Video: Why malware simulators cannot tell you if a malware or technique is detected by AV🦔📹

(... unless they were specifically made for that product)

https://www.youtube.com/watch?v=yJZCY22Z-Lo

Malware Simulators cannot test Antivirus Software

YouTube
Karsten HahnJul 23, 2023

New Video: Why Windows system files have wrong compile timestamps 🦔📹

#MalwareAnalysisForHedgehogs #Repro
https://youtu.be/8Q_cbAolKGg?si=34Wsq8XDWdzfar1H

Why you can't trust timestamps of Windows system files

YouTube