// security research & red team notes

Penetration Tester
Security Researcher

Documenting offensive security research, red team tradecraft, and privacy analysis. All operations are authorized. All findings are disclosed responsibly.

Posts 1
Tools 3
CVEs
Certs OSCP · CRTO
┌──(ghostwirez@sec)-[~/blog]
└─$ cat latest_posts.txt
12
Posts Published
3
Open Source Tools
6
Research Areas
2026
Last Updated
// latest posts
★ pinned
Privacy Investigation
One Company Owns Your VPN, Your Backup VPN, and the Website That Told You to Use Both

DOJ charged ex-US intel for UAE spyware. One was ExpressVPN's CIO — revealed one day after Kape bought ExpressVPN for $936M. The adware company that now holds the keys to your traffic.

Mar 10, 2026 · 17 min read Read post →
Anti-Forensics
Anti-Forensics 101: File Timestamp Manipulation

Timestamps are just metadata — and metadata is incredibly easy to manipulate. Understanding $STANDARD_INFORMATION vs $FILE_NAME and why clumsiness leaves more evidence than doing nothing.

Mar 6, 2026 · 6 minRead →
Anti-Forensics
Anti-Forensics 101: Data Wiping

Deleting a file doesn't make it disappear. On HDDs the data stays until overwritten. On modern SSDs with TRIM + encryption, it's usually gone for good. The real story is more nuanced.

Feb 26, 2026 · 4 minRead →
PrivacySurveillance
Inside Predictive Surveillance: How They Watch Before You Act

Surveillance no longer asks "what did you do?" It asks "what will you do?" Your behavioral fingerprint predicts and pre-judges you before you've acted.

Feb 10, 2026 · 6 minRead →
Red TeamAPT
When npm install Gets You Hacked: Famous Chollima Job Scam Simulation

North Korean APT weaponizing fake GitHub job repos. A red team simulation of the full chain — social engineering, XOR-encrypted payloads, and silent C2 via npm postinstall.

Jul 11, 2025 · 4 minRead →
Red TeamSocial Engineering
FileFix: Launching PowerShell via the File Explorer Address Bar

A social engineering technique that tricks victims into pasting a disguised PowerShell command into File Explorer. No exploits. No admin rights. Just OS trust and bad habits.

Jun 25, 2025 · 3 minRead →
Red TeamLOTL
How to Hijack a Windows System with Nothing but Built-in Tools

Multi-stage HTA phishing simulation using only native Windows binaries. No implants, no custom executables — just mshta.exe, WScript, PowerShell, and registry persistence.

Jun 13, 2025 · 9 minRead →
// all posts

Blog

Writing mostly because I 'love' it. Research notes, techniques, and deep dives into offensive security and privacy.

filter:
// research index
Privacy
One Company Owns Your VPN, Your Backup VPN, and the Website That Told You to Use Both

Kape Technologies — formerly Crossrider adware — now owns ExpressVPN, PIA, CyberGhost, and the review sites that rank them.

Mar 10, 2026 · 17 minRead →
Anti-Forensics
Anti-Forensics 101: File Timestamp Manipulation

$SI vs $FN attributes, nanosecond precision, double timestomping, and why the MFT sequence number exposes you anyway.

Mar 6, 2026 · 6 minRead →
Anti-Forensics
Anti-Forensics 101: Data Wiping

shred, cipher /w, hdparm Secure Erase, and why physical destruction is the only guarantee at high threat models.

Feb 26, 2026 · 4 minRead →
PrivacySurveillance
Inside Predictive Surveillance: How They Watch Before You Act

Behavioral fingerprinting, correlation pipelines, and how opting out itself becomes a flag.

Feb 10, 2026 · 6 minRead →
Privacy
Social Graph Reconstruction

Why metadata beats content. How connection graphs expose power dynamics, leadership, and identity — even without reading a single message.

Feb 9, 2026 · 6 minRead →
PrivacyEmail
There's No Perfect Private Email

Proton, Tuta, SimpleLogin, self-hosted — every option has a different threat surface. Understanding what each actually protects.

Feb 5, 2026 · 4 minRead →
Red TeamAPT
When npm install Gets You Hacked: Famous Chollima Simulation

North Korean APT job scam methodology — malicious postinstall scripts, XOR-encrypted Python reverse shells, C++ C2 listener. Full chain documented.

Jul 11, 2025 · 4 minRead →
Red TeamSocial Engineering
FileFix: PowerShell via File Explorer Address Bar

A ClickFix variant. Phishing page that copies a hidden PowerShell command to clipboard, disguised as a file path. Zero exploits, zero footprint until execution.

Jun 25, 2025 · 3 minRead →
Red TeamLOTL
Hijacking Windows with Only Built-in Tools

HTA → VBScript → hidden PowerShell → registry persistence. A full multi-stage attack chain using zero custom binaries. MITRE ATT&CK techniques documented.

Jun 13, 2025 · 9 minRead →
// open source arsenal

Tools > Development

Custom security tools built for red team operations and research. All open source. Use responsibly.

// tool index
USB Malware Filter Adapter
Python

Portable hardware-software security device that intercepts executable file transfers between USB storage devices and Windows hosts. Runs a Python file watcher on a Raspberry Pi Zero WH performing static PE structure analysis and MD5 hash matching against known malware signatures, quarantining flagged .exe files before they reach the host system.

PE Analysis Malware Analysis USB Security Embedded Security
GitHub →
CVE-2024-9326 PoC - SQL Injection
Python

Python-based proof-of-concept exploit for CVE-2024-9326, a high-severity SQL injection vulnerability in PHPGurukul Online Shopping Portal v2.0. Automates authentication bypass via classic comment-sequence payload injection against the admin login endpoint, with configurable target URL, port, username payload, and password through a CLI interface, enabling security professionals to confirm exploitability during assessments.

SQL Injection Exploit Development Web Security Penetration Testing
GitHub →
CVE-2024-39090 PoC - CSRF to Stored XSS
Python

Python-based proof-of-concept exploit for CVE-2024-39090, chaining a CSRF vulnerability with stored XSS in PHPGurukul Online Shopping Portal v2.0. Automates forged POST requests to inject persistent JavaScript payloads into user-controlled fields — executing in privileged user context upon page load, enabling session hijacking or credential theft scenarios during security assessments.

CSRF Stored XSS Web Security Exploit Development
GitHub →
Console Banking System
C#

C# console banking application implementing core account management operations against a flat-file binary store. Uses a custom polynomial hash function for O(1)-average account lookup with linear probing for collision resolution, supporting user registration, authentication, fund transfers, balance updates, and account deletion — all persisted via direct BinaryReader/BinaryWriter stream manipulation over a fixed-record-width file.

File I/O Console Application File Handling Data Structures
GitHub →

// All tools are open source and available on GitHub

// Contributions and feedback are welcome

// Use responsibly and ethically

// whoami

About me

Penetration tester and security researcher focused on offensive operations.

Hi, I'm Engr. Arvin Rafael Legaspi (ghostwirez), an Offensive Security Enngineer currently working at Secuna. I specialize in Penetration Testing and a bit of Red Teaming.

I hold certifications such as CRTO, CPTS, CWES, CRTA, and other certifications that validate my expertise in the field.

I am also the founder of CyberwireZ and the HackTheBox Meetup Ambassador in the Philippines, fostering collaboration and knowledge-sharing with cybersecurity enthusiasts and professionals.

All research is conducted in authorized environments or on personal lab infrastructure.

Content is published for educational and defensive awareness purposes.

GitHub → LinkedIn → Discord Server →

> Authorized access only

> All operations are logged