// security research & red team notes

Penetration Tester
Security Researcher

Documenting offensive security research, red team tradecraft, and privacy analysis. All operations are authorized. All findings are disclosed responsibly.

Posts 12

Tools 3

CVEs —

Certs OSCP · CRTO

┌──(ghostwirez@sec)-[~/blog]
└─$ cat latest_posts.txt

12

Posts Published

3

Open Source Tools

6

Research Areas

2026

Last Updated

// latest posts

Privacy Investigation

One Company Owns Your VPN, Your Backup VPN, and the Website That Told You to Use Both

DOJ charged ex-US intel for UAE spyware. One was ExpressVPN's CIO — revealed one day after Kape bought ExpressVPN for $936M. The adware company that now holds the keys to your traffic.

Anti-Forensics 101: File Timestamp Manipulation

Timestamps are just metadata — and metadata is incredibly easy to manipulate. Understanding $STANDARD_INFORMATION vs $FILE_NAME and why clumsiness leaves more evidence than doing nothing.

Anti-Forensics 101: Data Wiping

Deleting a file doesn't make it disappear. On HDDs the data stays until overwritten. On modern SSDs with TRIM + encryption, it's usually gone for good. The real story is more nuanced.

PrivacySurveillance

Inside Predictive Surveillance: How They Watch Before You Act

Surveillance no longer asks "what did you do?" It asks "what will you do?" Your behavioral fingerprint predicts and pre-judges you before you've acted.

When npm install Gets You Hacked: Famous Chollima Job Scam Simulation

North Korean APT weaponizing fake GitHub job repos. A red team simulation of the full chain — social engineering, XOR-encrypted payloads, and silent C2 via npm postinstall.

Red TeamSocial Engineering

FileFix: Launching PowerShell via the File Explorer Address Bar

A social engineering technique that tricks victims into pasting a disguised PowerShell command into File Explorer. No exploits. No admin rights. Just OS trust and bad habits.

How to Hijack a Windows System with Nothing but Built-in Tools

Multi-stage HTA phishing simulation using only native Windows binaries. No implants, no custom executables — just mshta.exe, WScript, PowerShell, and registry persistence.

// all posts

Blog

Writing mostly because I 'love' it. Research notes, techniques, and deep dives into offensive security and privacy.

// research index

One Company Owns Your VPN, Your Backup VPN, and the Website That Told You to Use Both

Kape Technologies — formerly Crossrider adware — now owns ExpressVPN, PIA, CyberGhost, and the review sites that rank them.

Anti-Forensics 101: File Timestamp Manipulation

$SI vs $FN attributes, nanosecond precision, double timestomping, and why the MFT sequence number exposes you anyway.

Anti-Forensics 101: Data Wiping

shred, cipher /w, hdparm Secure Erase, and why physical destruction is the only guarantee at high threat models.

PrivacySurveillance

Inside Predictive Surveillance: How They Watch Before You Act

Behavioral fingerprinting, correlation pipelines, and how opting out itself becomes a flag.

Social Graph Reconstruction

Why metadata beats content. How connection graphs expose power dynamics, leadership, and identity — even without reading a single message.

There's No Perfect Private Email

Proton, Tuta, SimpleLogin, self-hosted — every option has a different threat surface. Understanding what each actually protects.

When npm install Gets You Hacked: Famous Chollima Simulation

North Korean APT job scam methodology — malicious postinstall scripts, XOR-encrypted Python reverse shells, C++ C2 listener. Full chain documented.

Red TeamSocial Engineering

FileFix: PowerShell via File Explorer Address Bar

A ClickFix variant. Phishing page that copies a hidden PowerShell command to clipboard, disguised as a file path. Zero exploits, zero footprint until execution.

Hijacking Windows with Only Built-in Tools

HTA → VBScript → hidden PowerShell → registry persistence. A full multi-stage attack chain using zero custom binaries. MITRE ATT&CK techniques documented.

// open source arsenal

Tools > Development

Custom security tools built for red team operations and research. All open source. Use responsibly.

// tool index

Evasion & Anti-Analysis Detector

Python

Red-team focused PE analysis tool that detects evasion techniques, anti-analysis patterns, and suspicious characteristics in Windows executables. Detects direct syscall patterns, API hashing, RWX sections, reflective DLL loaders, AMSI bypass patterns, and ETW patching indicators with weighted risk scoring.

PE Analysis Evasion Detection Anti-Analysis Risk Scoring

GitHub →

Loader Fingerprinting Tool

Python

Static-analysis tradecraft classifier for Windows loaders. Analyzes PE files to identify execution models, injection intent, API resolution methods, payload styles, and evasion posture. Classifies how a binary plans to execute code and what execution philosophy the author uses.

Static Analysis PE Analysis Loader Classification Tradecraft

GitHub →

Malware Report Auto-Writer

Python · Jinja

Automated malware analysis reporting engine that translates technical findings into professional, human-readable reports. Generates deterministic reports in Markdown, HTML, or PDF formats with specialized sections for evasion techniques and execution philosophies.

Malware Analysis Reporting Automation CLI

GitHub →

// All tools are open source and available on GitHub

// Contributions and feedback are welcome

// Use responsibly and ethically

// whoami

About me

Penetration tester and security researcher focused on offensive operations and privacy research.

I write about red team tradecraft, anti-forensics, privacy, and occasionally document APT techniques through controlled simulations.

All research is conducted in authorized environments or on personal lab infrastructure.

Content is published for educational and defensive awareness purposes.

GitHub → Twitter/X →

> Authorized access only

> All operations are logged