Karsten Hahn

@[email protected]
495 Followers
77 Following
129 Posts
Malware Analyst at G DATA. Ransomware hunter. he/him 🦔🌈🏳️‍⚧️
Karsten HahnMar 24

My malware analysis courses have now a new certificate design.

https://malwareanalysis-for-hedgehogs.learnworlds.com/courses

Karsten HahnMar 23

Added a task for the SugarSMP spark stealer sample to samplepedia

https://samplepedia.cc/sample/060ed0ec27a0a4ad7b55425ed56d8ef0c55aa61b499d4884d1679f18d518ddf3/89/

Karsten HahnMar 3

New blog: Using LLMs the right way for malware analysis

💡Tips for building an autonomous AI analysis lab on a 12 yo laptop and getting stuff done faster without loss of accuracy.

https://blog.gdatasoftware.com/2026/03/38381-llm-malware-analysis

Karsten HahnFeb 28

GuvercinInstaller.exe 1/72
#kurdishmyth stealer, NodeJS

➡️Infects discord_desktop_core\index.js
➡️Steals various browser and discord data.
➡️Exfiltrates via discord webhook.

The code references kurdishmyth and mythprivate

The wallet exfiltration webhook uses a photo of Abdullah Öcalan as its avatar image.

You will find the same malware family with this VT search query:

vhash:087076656d156d05655253z72zff7z11z23z13z93z12b4z11z behaviour_processes:"C:\\Windows\\system32\\cmd.exe /d /s /c \"taskkill /F /IM discord.exe\""

https://www.virustotal.com/gui/file/49660527c1c910ad2d3c5625c1b44682e465e45b65883dfc8d7d229d1bd0ebd8?nocache=1

Karsten HahnFeb 21

samplepedia.cc update:

You have now a new "My articles" overview (see profile dropdown menu), which allows you to add article drafts and manage articles.

You can decide to publish such a draft as a solution later.

Karsten HahnFeb 21
Found a nice trainings sample for analysis of kernel mode rootkits

https://samplepedia.cc/sample/465dc7a1068d0c7d31b4ffb0a013a59ddd0320dde4389748eed99f41ee0f51ae/83/
Karsten HahnFeb 10

Looks like the dev told an LLM to generate test files for a Shai Hulud detection app.

The LLM complied and generated malicious test files...

https://github.com/Cobenian/shai-hulud-detect/blob/main/test-cases/destructive-patterns/windows_payload.ps1

Karsten HahnFeb 1

I created an extraction script for custom PyInstaller applications as seen in suspected EvilAI PDF apps.

Script (modified pyinstxtractor-ng): https://github.com/struppigel/hedgehog-tools/blob/main/PyInstaller%20mod/pyinstaller-mod-extractor-ng.py

Article: https://samplepedia.cc/sample/8c9d9150efa35278afcb23f2af4c4babcc4dd55acd9e839bed4c04cb5a8d9c3f/81/solution/52/view/

Karsten HahnFeb 1

#Samplepedia updates

* you can upload images for articles
* view count for samples and articles
* expert difficulty available

https://samplepedia.cc/

Karsten HahnJan 23
If you like binary refinery, check out this sample
It's also mostly undetected yet on VT:
https://samplepedia.cc/sample/361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd/78/