All too often we find clever malware here at Huntress. We look for persistent footholds — the implants and backdoors that hackers leave behind so they can maintain access. Oftentimes, this takes the shape of code that needs to be started automatically, without any user interaction.

We tend to find these footholds in Windows autoruns, scheduled tasks or services, start up files or even in the Windows Registry.

We recently came across a particular malware sample that used a very peculiar technique. It utilized a legitimate application inherent to Windows… but, interestingly enough, a very old rendition of Windows.

The First Footprints


John Hammond | | January 9th, 2021

I’ve played in the SANS Holiday Hack Challenge ever since 2015.

All those years ago, I attended the SANS HackFest in Alexandria, VA and took the live SANS 560 course: “Ethical Hacking and Network Penetration Testing.” I fondly remember playing NETWARS in the evenings, and as we came to the end of the course, our instructor (Ed Skoudis) told us about the SANS Holiday Hack Challenge. Ever since then, I always look forward to this time of year to see what the CounterHack team comes up with and to learn new things.

As always, the Holiday Hack Challenge was a…

This post was last updated on December 15, 2020 at 05:36 pm E.T.

Our technical findings can be found at the bottom of this article.

On December 13, FireEye discovered that SolarWinds Orion products (versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1) were being exploited by malicious actors. The supply chain attack trojanized SolarWinds Orion business software updates in order to distribute malware that has been referred to as both SUNBURST and Solorigate.

As far as we know at time of publishing, this does not affect SolarWinds N-central or SolarWinds RMM.

In this blog post we will shine the spotlight on an obfuscation technique that we see being used in the latest “100th version” of the TrickBot malware.

What program is built-in and available on every Microsoft Windows machine out in the wild?

Why, it’s the classic black box Command Prompt of course!

Command Prompt = cmd.exe

Command Prompt, or cmd.exe, is the default command-line interpreter for Windows operating systems. Its history dates back to the days of the old-school DOS (or Disk Operating System) shell that would run on vintage x86-based personal computers.

We recently uncovered a really peculiar piece of malware, which we’ve jokingly referred to as “the gift that keeps on giving.”

The more we dug into it, the more we found to uncover and unpack. I consider this a “multi-stager, multi-payload” piece of malware in that it works through a lot of different layers of abstraction. After all these layers of complexity and clever tricks, it goes to show just how invaluable it is to have human analysts review and reverse engineer malware.

Note that is Part 2 of a previous blog post, “Hiding in Plain Sight || Part 1”…

A 2019 Holiday Hack Challenge Writeup


This year, I completed 100% of the SANS Holiday Hack Challenge. I have been playing the Holiday Hack Challenge since 2015, but I have only fully completed the challenge once before in 2017. I was very pleased to be a part of KringleCon, and help save Christmas this year!

If you like this writeup and want more, or to follow other things that I do, check out my YouTube channel: Or join me on my Discord server:
I’ll be posting video walkthroughs for KringleCon 2 very soon!

One of my favorite competitions is IceCTF — and it made that impression on me the first time I played the game, two years ago, when they hosted their first CTF in 2016.

NOTE: I have many more writeups to complete — this article is not yet finished. I will be adding as time goes on and I finish writing more, I just wanted to have something to showcase on CTFtime to get things moving.

The dates above (and the old logo) are from the 2016 competition.

This year they had a whole new platform with “Adversary” and a similar learning curve, but a lot more difficult challenges this year.

This game was a lot of fun! I played with my Discord server team, based off of the channel that grew from my YouTube channel. Join us for the next competition, it’s a great family!

We had been fighting for a spot in the top 10 for most of the game, but ended up falling and finishing in 17th place. Still not too bad!


This one’s simple. Join the Slack channel to get the flag.

This was the typical “welcome” flag, leading the player to the support channel. The Slack Team is at

Senior Security Researcher at Huntress

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store