Karsten Hahn

@[email protected]
495 Followers
77 Following
129 Posts
Malware Analyst at G DATA. Ransomware hunter. he/him 🦔🌈🏳️‍⚧️
Karsten HahnMar 24

My malware analysis courses have now a new certificate design.

https://malwareanalysis-for-hedgehogs.learnworlds.com/courses

Karsten HahnMar 23

Added a task for the SugarSMP spark stealer sample to samplepedia

https://samplepedia.cc/sample/060ed0ec27a0a4ad7b55425ed56d8ef0c55aa61b499d4884d1679f18d518ddf3/89/

Karsten HahnMar 17

I wrote an article about SugarSMP Minecraft scams, Spark stealer, extortion and hacked accounts.

After a brief contact to the threat actor, we talked to two victims and followed the trail.

Analysis in collaboration with @rifteyy
#GDATATechblog #GDATA
https://blog.gdatasoftware.com/2026/03/38390-minecraft-mod-sugarsmp-malware

Minecraft: SugarSMP's Dark Tale of Scams, Malware & Extortion

Some Minecraft players were looking for safe haven away from griefers, but found an elaborate web of malware, deception and extortion.

Karsten HahnMar 15
🦔 📹 Video: Building your own AI Malware Analysis Lab
➡️ old system, 16 GB RAM
➡️ using Remnux
#MalwareAnalysisForHedgehogs #LLM
https://www.youtube.com/watch?v=YOduz8VIvvw
Build your own AI Malware Analysis Lab with Remnux

YouTube
Show threadKarsten HahnMar 7

Sample: https://samplepedia.cc/sample/49660527c1c910ad2d3c5625c1b44682e465e45b65883dfc8d7d229d1bd0ebd8/87/

Related tweet: https://x.com/struppigel/status/2027765529600016471

PKG tool: https://github.com/struppigel/hedgehog-tools/tree/main/PKG

49660527c1c910ad2d3c5625c1b44682e465e45b65883dfc8d7d229d1bd0ebd8

Karsten HahnMar 7

🦔 📹 New video: NodeJs analysis when deobfuscator fails
➡️ #MythJs stealer sample
➡️ pkg VFS exploration tool
➡️ js-confuser

#MalwareAnalysisForHedgehogs
https://www.youtube.com/watch?v=gtLqrjsGRmQ

Malware Analysis - Deobfuscating NodeJs pkg packed stealer MythJs

YouTube
Karsten HahnMar 3

New blog: Using LLMs the right way for malware analysis

💡Tips for building an autonomous AI analysis lab on a 12 yo laptop and getting stuff done faster without loss of accuracy.

https://blog.gdatasoftware.com/2026/03/38381-llm-malware-analysis

Karsten HahnFeb 28

GuvercinInstaller.exe 1/72
#kurdishmyth stealer, NodeJS

➡️Infects discord_desktop_core\index.js
➡️Steals various browser and discord data.
➡️Exfiltrates via discord webhook.

The code references kurdishmyth and mythprivate

The wallet exfiltration webhook uses a photo of Abdullah Öcalan as its avatar image.

You will find the same malware family with this VT search query:

vhash:087076656d156d05655253z72zff7z11z23z13z93z12b4z11z behaviour_processes:"C:\\Windows\\system32\\cmd.exe /d /s /c \"taskkill /F /IM discord.exe\""

https://www.virustotal.com/gui/file/49660527c1c910ad2d3c5625c1b44682e465e45b65883dfc8d7d229d1bd0ebd8?nocache=1

Show threadKarsten HahnFeb 27

HijackLoader tools are here: https://github.com/struppigel/hedgehog-tools/tree/main/HijackLoader

Some of them currently only work for the sample we looked at, but I will likely update this.

Usually I only try to publish generic tools, but in this instance I found it useful to do that because of the malware's complexity

hedgehog-tools/HijackLoader at main · struppigel/hedgehog-tools

Contribute to struppigel/hedgehog-tools development by creating an account on GitHub.

GitHub
Karsten HahnFeb 26
We wrote about HijackLoader. Not exactly a new topic, but certainly an interesting journey.
It provides some tools for HijackLoader too.
https://blog.gdatasoftware.com/2026/02/38373-pivigames-spreads-hijackloader
Free Games, Costly Consequences, and Loads of Malware

The Spanish games platform PiviGames is being abused as a malware distribution hub. This was discovered after someone looked for help on Reddit.