Danyil Kishchak

Executive Summary In September 2022, the LockBit 3.0 builder was leaked to the public, providing defenders with unprecedented access to the inner workings of one of the most prolific ransomware operations. In this analysis, I examine the builder’s architecture, binary generation process, and the lesser-known DLL variants that are rarely seen in the wild. My investigation reveals sophisticated anti-analysis techniques, flexible configuration options, and evidence of continuous investment in evasion capabilities. ...

Executive Summary Self-deletion is a critical anti-forensics technique where a running executable removes itself from disk after execution, leaving minimal forensic artifacts. This capability is essential for red team operations, penetration testing, and understanding adversary tactics. Through my research into evasion techniques, I’ve implemented a robust self-deletion mechanism in Rust leveraging Windows API calls, published as an open-source tool for the security research community. The implementation demonstrates how threat actors achieve ephemeral persistence—executing malicious code while leaving no binary artifacts on disk for forensic analysis or incident response teams to recover. ...

Executive Summary This analysis examines a LockBit 3.0 ransomware attack that targeted a mid-sized healthcare provider in August 2023. The attack resulted in the encryption of critical systems and exfiltration of patient data. The threat actors exploited an unpatched VPN vulnerability for initial access and leveraged built-in Windows tools for lateral movement. Key Findings: Initial access via CVE-2023-XXXX (VPN vulnerability) Dwell time: 11 days Double extortion tactics employed 2.3TB of sensitive data exfiltrated Attack Timeline Initial Access: August 4, 2023 - Exploitation of unpatched Fortinet VPN appliance Reconnaissance: August 4-10, 2023 - Network enumeration and credential harvesting Lateral Movement: August 10-13, 2023 - Spread to domain controllers and file servers Data Exfiltration: August 13-14, 2023 - 2.3TB uploaded to attacker infrastructure Encryption: August 15, 2023, 2:37 AM - Mass encryption event initiated Discovery: August 15, 2023, 6:15 AM - IT staff discovered encrypted systems and ransom note Technical Analysis Ransomware Strain LockBit 3.0 (LockBit Black) - Latest variant featuring: ...

Executive Summary Process Hollowing, commonly known as RunPE, stands as the most popular antivirus evasion technique employed by modern malware. Through my research and implementation in Rust, I’ve created a production-ready reflective loader that executes PE files entirely from memory, bypassing traditional file-based detection mechanisms. This technique has been observed in countless malware families including Zeus, Carberp, Emotet, and TrickBot, making it essential knowledge for both offensive and defensive security practitioners. ...

Executive Summary Steganography—the art of concealing information within seemingly innocuous carriers—has evolved from ancient wartime communication to a sophisticated cyber evasion technique. In my research analyzing modern threat actor campaigns, I’ve observed a significant uptick in steganography-based attacks, with threat groups leveraging image, audio, and document files to hide malicious payloads and command-and-control (C2) communications. This analysis examines the technical mechanics of steganographic attacks, documents APT usage patterns, and provides actionable detection methodologies. ...

Executive Summary Pandora ransomware emerged in February 2022 as a sophisticated threat employing double extortion tactics against corporate networks. Through my reverse engineering analysis, I’ve uncovered multiple layers of advanced anti-analysis techniques that place Pandora above the typical ransomware threat. The malware uses modified UPX packing, control-flow flattening, dynamic string decryption, and a multi-threaded encryption engine leveraging Windows IO Completion Ports—techniques more commonly seen in nation-state malware than commodity ransomware. ...

Executive Summary CVE-2019-0708, known as BlueKeep, continues to dominate the exploitation landscape five years after its disclosure. Despite widespread awareness and available patches, my research shows this wormable Remote Desktop Protocol (RDP) vulnerability remains the most actively exploited vector in the wild. The vulnerability affects millions of legacy Windows systems and enables unauthenticated remote code execution, making it a critical threat to organizations worldwide. Key Findings: BlueKeep exploitation attempts increased 73% year-over-year in my honeypot data 1.2+ million internet-facing vulnerable systems remain unpatched globally Wormable nature enables self-replicating attacks across networks Primary vector for initial access in 34% of observed ransomware incidents Memory corruption in MS_T120 virtual channel enables pre-authentication RCE Metasploit weaponization lowered exploitation barrier significantly Why BlueKeep Remains #1 in the Wild The Perfect Storm of Exploitability Through my monitoring of threat actor forums and honeypot deployments, BlueKeep consistently emerges as the preferred initial access vector. Several factors contribute to its continued dominance: ...