Older Articles
31 OCT 2017
I was sent a PHP script that was protected by PHPJiami which you can find here...
24 JUN 2017
I spent the past several months porting Converter to the .NET Framework and am...
25 MAY 2017
The constant barrage of malicious emails seeping into your users' inboxes appear...
2 MAY 2017
Another update to the exploit kit scene. There's been some changes but nothing very...
27 FEB 2017
It all started with a malicious RTF document attached to an email and a request...
5 NOV 2016
It's been awhile since I updated this; my apologies for the delay to those who have...
22 OCT 2016
Matt Decker from hybrid-cloudblog.com sent me this script he received via email...
15 OCT 2016
A PHP script was sent to me by reader Nuno who got this from a hacked Joomla website...
8 OCT 2016
I came across this nasty-looking script that hijacks your browser. It appears to...
30 SEP 2016
Several programs have been updated. You can find them on the Tools page...
22 JUN 2016
From various reports, it appears that the malicious Javascript files sent via email...
22 FEB 2016
Continuing from my last blog post, I updated the program to handle the latest...
21 FEB 2016
One of my readers, Stefano from zanna.it (thanks!), sent me this little gem...
15 FEB 2016
The purpose of this tool is to help you perform static analysis on obfuscated scripts...
6 FEB 2016
Here's one way to pack and unpack Javascript from the Windows' command line...
9 JAN 2016
This program was originally written as a proof of concept but it turned out to work...
17 NOV 2015
Here's a challenge for you, what does this decode to...
21 OCT 2015
I saw this blog post by the smart guys over at Sucuri and thought that it was just...
20 OCT 2015
Just a quick update...I added a Javascript beautification feature...
16 OCT 2015
This particular spam page redirect was brought to my attention by a colleague...
3 OCT 2015
For the past two years, I've been involved with several cyber exercises and...
24 JUL 2015
I came across three interesting PHP scripts that were presumably dropped by the...
20 JUN 2015
The latest version includes several new features which I'd like to highlight here...
6 MAR 2015
There has been a slew of malicious Word documents attached to email purporting...
3 MAR 2015
Bart Blaze, one of my security researcher friends passed along this PHP script to...
15 FEB 2015
A colleague of mine received the following email in their Gmail in-box and...
13 DEC 2014
Added the following packs: Null Hole, "Hanjuan EK", "Archie EK", "Astrum EK"...
6 DEC 2014
The cybercriminals behind Poweliks implemented two clever techniques in...
26 NOV 2014
Cybercriminals are now stealing password managers so it's time to make them more...
2 NOV 2014
There's a lot of sites covering this vulnerability but I wanted to document some...
5 OCT 2014
No significant updates, just several enhancements and bug fixes to four tools...
23 SEP 2014
Back in 2011, I took a look at several tools used to deobfuscate Javascript...
12 SEP 2014
I recently read the Anti-Phishing Working Group's 2Q 2014 report and saw the number...
20 AUG 2014
Like many of you, I've been looking at the various NSA document leaks to see what...
25 JUL 2014
Added the following packs: RIG Exploit Kit, Niteris aka "CottonCastle", "Snet"...
11 JUL 2014
A reader sent me two PHP scripts because the PHP Converter program I wrote wasn't...
1 JUN 2014
Occasionally people send me PHP scripts to help them analyze it. Most of the time...
23 MAY 2014
VirusTotal is showing 0 out of 51 for RIG EK's SWFIE exploit. Here's a really quick...
12 MAY 2014
A new exploit pack has been marketed in the underground since last month and appears...
6 APR 2014
The "8x8" script I'm referring to includes a link that looks like this...
5 APR 2014
sorry this is so late. added the following packs: "Zuponcic", Infinity (aka "RedKit"...
5 APR 2014
I only stumbled on this at the middle so I don't know how this is being targeted...
25 MAR 2014
Here's another tool that you might find useful when analyzing potentially infected...
17 FEB 2014
The latest version includes several new features and bug fixes...
11 FEB 2014
The use of XOR encryption to keep anti-virus, web filters, and even researchers...
8 FEB 2014
Cybercriminals are constantly thinking up new ways to redirect unsuspecting visitors...
6 FEB 2014
I've been noticing obfuscated Javascript using a function that returns the deobfuscated...
30 JAN 2014
I've been researching that fake Adobe Flash update and Neutrino EK redirect that...
12 JAN 2014
While I was testing a Pinpoint update, I found a sneaky method to redirect...
9 JAN 2014
Exploit packs are normally set up on a hacker-controlled server. Compromised websites...
7 JAN 2014
"RedKit" was once a thriving exploit pack then faded away leaving behind artifacts...
2 JAN 2014
There are many times where I come across a drive-by download, especially malvertisements...
19 DEC 2013
"DotkaChef" (aka DotCache, DotCacheF) was discovered by Chris Wakelin...
1 DEC 2013
Added the following packs: White Lotus, CK Exploit Kit, “x2o Exploit Kit”, “Angler...
11 NOV 2013
Per a couple of reader's request, I'll be covering how to deobfuscate Magnitude...
5 NOV 2013
The latest version of Converter includes changes to the menus and several new features...
12 OCT 2013
A reader wanted me to analyze a PHP file that was found on his hacked Wordpress site...
2 SEP 2013
The CK Exploit Kit has been around since 2012 and has its roots in the NetBoom...
29 AUG 2013
If you been keeping up with Java exploits recently, you'll know that there's been...
4 AUG 2013
Added the following packs: “FlashPack”, “Topic Exploit Kit”, Silence Exploit, “Rawin...
27 JUL 2013
I've updated several of the tools. I hope you find the updates helpful...
18 JUL 2013
Recently, a reader passed on to me a very active TDS link that redirected users to...
4 JUL 2013
The use of JJEncode in a drive-by download has been around for a couple...
22 JUN 2013
Found this on an image site and didn’t see this elsewhere. This is both educational...
22 JUN 2013
I've been getting questions about how to use Revelo so this article will be a...
2 JUN 2013
I added several new features in this release to help you with reverse engineering...
11 MAY 2013
I've been studying RedKit for a long time and trying to understand its components...
25 APR 2013
Mila over at Contagio just released another fantastic update of her exploit pack...
15 APR 2013
In a recent spearphish campaign, a malicious Word document was used to infect the...
4 APR 2013
I saw a tweet from MalwareCrusaders earlier today about another obfuscated Java applet...
16 MAR 2013
Malicious Java applets have been making news for awhile so I thought I would update...
24 FEB 2013
Thank you to all of you for your feedback, patience, and support! It now has the...
23 FEB 2013
This is yet another drive-by that was challenging to find. It delivered payloads...
7 FEB 2013
This malicious script was found on a somewhat popular website. Trying to find these...
1 FEB 2013
Added the following packs: “SofosFO”, Red Dot, AnonJDB. I also moved packs around...
14 JAN 2013
Fellow researcher Denis Laskov shared the infection chain of a new exploit pack...
2 JAN 2013
Happy New Year! I finally finished developing and testing another version of Converter...
1 DEC 2012
Added the folllowing packs: alphaPack, Vintage Pack, CritXPack, Serenity Exploit...
26 NOV 2012
Another new exploit pack has been found in the wild. This pack uses two interesting...
17 NOV 2012
If you've ever analyzed an exploit pack, you will often see a string of strange...
10 NOV 2012
Just a quick follow-up of an in-depth article from Denis Laskov which you can read...
1 NOV 2012
Someone just rigged an unsubscribe page with a Nice Pack drive-by! How cruel is...
23 OCT 2012
Added the folllowing packs: “KaiXin Exploit Pack”, “Kein Exploit Pack”, Grandsoft...
1 OCT 2012
Over the past several months, I've been busy with various projects and helping...
13 SEP 2012
Earlier this year, the CrimeBoss exploit pack was released in beta form. An updated...
1 SEP 2012
Neosploit has been popping up every once and awhile, quietly infecting users without...
27 AUG 2012
Since everyone knows about this, I can finally share my piece. Here's the landing...
15 AUG 2012
A new exploit pack has recently appeared and is getting a decent amount of drive...
2 AUG 2012
A Korean news site was recently observed distributing malware. I thought it would...
30 JUL 2012
I was having a discussion with a non-security person and the topic turned to dangerous...
10 JUL 2012
I haven't seen a spear-phish campaign like this in awhile. This is a rather decent...
7 JUL 2012
When I encounter a drive-by download that involves a compromised host, there will...
24 JUN 2012
Here's an interesting script sent to me by a friend. This script was the first step...
4 JUN 2012
I got some feedback from some folks as well as trying out some new methods to improve...
1 JUN 2012
New ones added: Sweet Orange, “Red Kit”, “Gong Da Pack”, Styx, CrimeBoss. If anyone...
9 MAY 2012
In this release, I've made a couple of bug fixes. I'm also using a traditional...
2 MAY 2012
Thank you all for your support and feedback with the release of Revelo (finally...
1 MAY 2012
I mentioned a new tool I've been developing to help with Javascript deobfuscation...
17 APR 2012
I wanted to copy over some of my tools into a remote host via VPN. The remote host...
28 MAR 2012
If you're into malware analysis or incident response, I'm sure you've come across...
16 MAR 2012
Here's another update based on some recent real-world analysis I've done as well...
1 MAR 2012
Another week, another pack. But this one is using Dadong's JSXX 0.41 VIP...
13 FEB 2012
This set of exploits was found on a Chinese website by @switchingtoguns. It appears...
1 FEB 2012
New ones added: Jet Exploit, MassInfect, Impossible Sploit, Hierarchy Exploit Pack...
28 JAN 2012
There's another new exploit pack in town called Techno XPack. This one looks like...
27 JAN 2012
A new pack has emerged called Hierarchy Exploit Pack. Looks a lot like Eleonore...
12 JAN 2012
While it can be difficult to attribute exploit packs in many cases, I believe it's...
16 DEC 2011
Thank you all for your support in the release of the Converter tool! I received a...
15 DEC 2011
A new exploit pack is being used in the wild. This one was linked to malvertisements...
29 NOV 2011
There’s another new exploit pack making its round. Seems to be quite pervasive...
19 NOV 2011
PDFStreamDumper is a PDF analyzer developed by Sandsprite’s David Zimmer...
12 NOV 2011
A Chinese website contains malvertisement that leads to a few exploits including...
12 NOV 2011
Phishing appears to be on the decline but some phishers aren’t stopping and have...
9 NOV 2011
A suspicious email was received on 10/26/2011 and targeted a single, key...
27 OCT 2011
It's bad enough to get hit with one drive-by download...but two on one page...
26 OCT 2011
After a long hiatus, it appears that Neosploit may have come back to life! While...
22 OCT 2011
I normally come across straight-forward drive-by downloads. Due to some website...
8 OCT 2011
A popular movie website appears to be infecting unsuspecting visitors’ computers...
1 OCT 2011
added “Nuclear Pack” to most wanted section. there’s several new packs out there...
17 SEP 2011
Now that the BreakingPoint Systems contest is over and since several of you...
11 SEP 2011
One of the guys over at BreakingPoint Systems detailed a cool, new Javascript...
8 SEP 2011
I tracked this exploit pack back in November. Several months later, the pack...
1 SEP 2011
added Micro-Pack Exploit System and Punchy-Pack Exploit System...
27 AUG 2011
I've received a ton of requests for the Converter tool. I use this tool a lot...
26 AUG 2011
A reader sent in obfuscated Javascript code that he needed some help to...
17 AUG 2011
One of my favorite hacking resource site appears to be hacked and possibly...
11 AUG 2011
The researchers over at Armorize identified a new technique some time ago called...
14 JUL 2011
Back in 2008, Dancho Danchev blogged about a Christmas-themed attack toolkit...
2 JUL 2011
i moved things around based on the year of its appearance...
24 JUN 2011
In the previous article, I manually deobfuscated three malicious scripts...
17 JUN 2011
Deobfuscating Javascript can be tricky so why not make the job easier by using a...
15 JUN 2011
ScriptKiddieSec broke the news about a new exploit pack called “Best Pack”...
14 JUN 2011
This is a new exploit pack that is being offered for free. It also goes by the name...
13 JUN 2011
Several readers sent me email asking how to decipher Javascript code without...
11 JUN 2011
There’s yet another malvertisement that leads to Black Hole. This campaign...
4 JUN 2011
Looks like Incognito got updated yet again. Let’s reverse the Javascript exploit...
1 JUN 2011
lots of requests to keep this going...send me updates here: sectek at live dot com...
28 MAY 2011
Normally when you visit a webpage that’s been compromised, you can find the malicious...
21 MAY 2011
The latest Facebook spam Javascript code was sent to me. Apparently there are...
20 MAY 2011
Some time ago, the Open Source Exploit Pack was released on some hacker forums...
15 MAY 2011
First off, many thanks goes out to Paul for doing all of the legwork on this new...
13 MAY 2011
As the American Idol finale approaches, millions of people are keeping an eye...
11 MAY 2011
Yesterday I received this UPS email with a malicious zipped attachment...
10 MAY 2011
i got a lot of responses on my graphic so i’m posting an update with the feedback...
8 MAY 2011
Here’s yet another new kit but I don’t have much on this including whether this...
29 APR 2011
From the looks of it, the catholic.org site appears to have been compromised in...
27 APR 2011
There are many online Javascript encoder sites that enable you to obfuscate your...
23 APR 2011
Here we see a fake UPS email suggesting that a package has arrived...
22 APR 2011
The recently announced Adobe Flash 0day exploit (CVE-2011-0611) has been found...
19 APR 2011
since there seems to be a lot of interest in attack toolkits, i grabbed the logos...
14 APR 2011
The author(s) of the Yes Exploit System has quietly upgraded their kit to version...
11 APR 2011
This particular malvertisement shows that hackers are being a little more sneaky...
7 APR 2011
just wanted to put out a cyber security tip sheet i created for my company...
3 APR 2011
Looks like a new exploit kit is making its rounds. The seller is actually a service...
1 APR 2011
No, not at all but the Javascript code does look like it’s just trying to process...
27 MAR 2011
Some time ago, it was rumored that the ZeuS author gave his code to the SpyEye...
26 MAR 2011
A new exploit kit is being used though it doesn't seem as popular as Incognito...
03 MAR 2011
After posting the previous article on Incognito, I was told by a couple of people...
25 FEB 2011
Incognito is a relatively new exploit kit. It uses the following Javascript...
12 FEB 2011
I recently sat in on a presentation that discussed how a malicious program was...
31 JAN 2011
This post is the third and final entry of redirect scripts I wrote to test my...
22 JAN 2011
This post is the second part of my quest to test a Javascript Analyzer program I...
18 JAN 2011
A couple of months ago, I created a program that would analyze Javascript...
14 JAN 2011
Siberia Exploit Kit has been around for awhile but has been updated recently and...
11 JAN 2011
Websense put out a blog post late last year that shocked me and probably the rest...
2 JAN 2011
PandaLabs reported that 34% of all malware ever created has appeared in the last...
8 DEC 2010
Get a Windows binary build of Mozilla’s JavaScript 1.8.5 engine from the Tools...
7 DEC 2010
Deobfuscating malicious Javascript can be tricky at times. Luckily, there are...
4 DEC 2010
This obfuscated Javascript came from a new, unknown exploit kit. There's a large...
2 DEC 2010
Dragon Pack is a new exploit kit that has hit the hacker scene. It sports only...
29 NOV 2010
Testing web applications can be a frustrating experience especially when you keep...
26 NOV 2010
Hackers rely on Javascript like a carpenter relies on his hammer. Javascript is...
24 NOV 2010
On the eve of Thanksgiving Day, I followed the trail of a drive-by exploit which...
22 NOV 2010
I came across a new exploit pack called "Bleeding Life". This one has six exploits...
20 NOV 2010
Despite reports that the ZeuS author is getting out of the scene, hackers will...
16 NOV 2010
You can tell it's nearing the holidays as many of us start trading virtual greeting...
15 NOV 2010
Today, I came across a hacked website. Hackers apparently used an osCommerce...
