{
	"id": "2e17cb08-1c47-43e7-a559-ea4f99b58eb3",
	"created_at": "2026-04-06T00:17:32.848529Z",
	"updated_at": "2026-04-10T13:12:50.069648Z",
	"deleted_at": null,
	"sha1_hash": "368a4b8daf1e0b5e902b18294a1c3e0955d13da4",
	"title": "c-b.io | RE // DFIR // CTF",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86632,
	"plain_text": "c-b.io | RE // DFIR // CTF\r\nArchived: 2026-04-05 22:42:37 UTC\r\nWelcome to Humpty's blog!\r\nSecurity Research \u0026 Analysis\r\nHey there! Glad to see you here. I go by Humpty, some know me by Tony. This blog aims at documenting my Reverse\r\nEngineering \u0026 DFIR journey as I stumble my way through malware and funky logs.\r\nI also run a small DFIR community! You can learn more by going to irchaos.club or by joining our Discord server at the\r\nlink below.\r\nHere are my socials:\r\nDiscord — Join IRCC!\r\nTwitter\r\nBlueSky\r\nLinkedIn\r\nHope you enjoy! - Humpty\r\n8 Cases\r\n29 IOCs\r\n19 MITRE Techniques\r\n3 Threat Actors\r\nCases\r\n8\r\nSeverity\r\nCase\r\nID\r\nTitle Status Category\r\nThreat\r\nActor\r\nMITRE Created Assignee\r\nhigh\r\nCASE-2026-\r\n0404\r\nCloudy With\r\nA Chance Of\r\nCompromise:\r\nHow A Skid\r\nRansoms\r\nYour Buckets\r\nClosed\r\nSOC\r\nEngineering\r\n/ Guides\r\nN/A\r\nT1486\r\nT1485\r\nT1530\r\nT1580\r\nT1059.006\r\n2026-\r\n04-04\r\nH\r\nHumpty/Tony\r\nhttps://c-b.io/blog/dissecting_blankgrabber/\r\nPage 1 of 4\n\nSeverity\r\nCase\r\nID\r\nTitle Status Category\r\nThreat\r\nActor\r\nMITRE Created Assignee\r\ninfo\r\nCASE-2026-\r\n0328\r\ndoes-not-exist-bucket\r\nexists now\r\nand it's mine\r\nClosed\r\nSOC\r\nEngineering\r\n/ Guides\r\nN/A\r\n2026-\r\n03-28\r\nH\r\nHumpty/Tony\r\ninfo\r\nCASE-2026-\r\n0125\r\nGetting\r\nSaaSy with\r\nSIEMs —\r\nIntroduction\r\nClosed\r\nSOC\r\nEngineering\r\n/ Guides\r\nN/A\r\n2026-\r\n01-25\r\nH\r\nHumpty/Tony\r\ncritical\r\nCASE-2025-\r\n0720\r\nInstall\r\nLinters, Get\r\nMalware —\r\nDevSecOps\r\nSpeedrun\r\nEdition\r\nClosed\r\nSupply\r\nChain /\r\nStealer\r\nUnknown\r\nT1195\r\nT1059\r\nT1027\r\nT1056\r\n2025-\r\n07-20\r\nH\r\nHumpty/Tony\r\ncritical\r\nCASE-2024-\r\n0815\r\nSupper is\r\nserved\r\nClosed\r\nMalware\r\nAnalysis /\r\nRAT\r\nVanilla\r\nTempest /\r\nVice\r\nSociety\r\nT1059\r\nT1071\r\nT1140\r\nT1573\r\n2024-\r\n08-15\r\nH\r\nHumpty/Tony\r\nlow\r\nCASE-2024-\r\n0714\r\nThreat\r\nhunting for\r\nshits and\r\ngiggles\r\nClosed\r\nThreat\r\nHunting\r\nN/A\r\n2024-\r\n07-14\r\nH\r\nHumpty/Tony\r\nmedium\r\nCASE-2024-\r\n0610\r\nAnalyzing the\r\nRedTiger\r\nMalware\r\nStealer\r\nClosed\r\nMalware\r\nAnalysis /\r\nStealer\r\nUnknown\r\n(script\r\nkiddie)\r\nT1555\r\nT1539\r\nT1082\r\n2024-\r\n06-10\r\nH\r\nHumpty/Tony\r\nmedium\r\nCASE-2024-\r\n0522\r\nDissecting a\r\nfresh\r\nBlankGrabber\r\nsample\r\nClosed\r\nMalware\r\nAnalysis /\r\nStealer\r\nUnknown\r\n(script\r\nkiddie)\r\nT1055\r\nT1497\r\nT1005\r\nT1125\r\n2024-\r\n05-22\r\nH\r\nHumpty/Tony\r\nCASE-2026-0404 high\r\nCloudy With A Chance Of Compromise: How A Skid Ransoms Your Buckets\r\nClosed SOC Engineering / Guides\r\nhttps://c-b.io/blog/dissecting_blankgrabber/\r\nPage 2 of 4\n\nPreface If you spend any amount of time in infosec circles, you’ll notice that the vast majority of offensive research is still\r\ncentered around …\r\n2026-04-04\r\nT1486 T1485 T1530\r\nCASE-2026-0328 info\r\ndoes-not-exist-bucket exists now and it's mine\r\nClosed SOC Engineering / Guides\r\nAs someone who’s got the great misfortune of working very closely with Cloud providers (namely AWS, Azure \u0026 GCP,\r\nthe unholy trinity) …\r\n2026-03-28\r\nCASE-2026-0125 info\r\nGetting SaaSy with SIEMs — Introduction\r\nClosed SOC Engineering / Guides\r\nWelcome! It's so good to finally have a SOC analyst, we've got so much work to do! I know this will be a lot for you as a\r\njunior since it's all we …\r\n2026-01-25\r\nCASE-2025-0720 critical\r\nInstall Linters, Get Malware — DevSecOps Speedrun Edition\r\nClosed Supply Chain / Stealer\r\nRecommend song to listen to while reading: If you find something off with what I say, please let me know. I’ll gladly\r\namend my content and …\r\n2025-07-20\r\nT1195 T1059 T1027\r\nhttps://c-b.io/blog/dissecting_blankgrabber/\r\nPage 3 of 4\n\nCASE-2024-0815 critical\r\nSupper is served\r\nClosed Malware Analysis / RAT\r\nRecommend song to listen to while reading: If you find something off with what I say, please let me know. I’ll gladly\r\namend my content and …\r\n2024-08-15\r\nT1059 T1071 T1140\r\nCASE-2024-0714 low\r\nThreat hunting for shits and giggles\r\nClosed Threat Hunting\r\nI’ll start by saying this post is not endorsed by hunt.io. I just happen to be a really big fan of what they’re doing. Some\r\nhackers suck …\r\n2024-07-14\r\nCASE-2024-0610 medium\r\nAnalyzing the RedTiger Malware Stealer\r\nClosed Malware Analysis / Stealer\r\nToday we’ll dive into a fresh malware stealer dubbed RedTiger, a sample targeting personal user data, particularly Discord\r\ntokens, …\r\n2024-06-10\r\nT1555 T1539 T1082\r\nCASE-2024-0522 medium\r\nDissecting a fresh BlankGrabber sample\r\nClosed Malware Analysis / Stealer\r\nBlankGrabber is nothing new. It’s been documented by multiple companies such as ThreatMon, K7Security and has even\r\nhad it’s source code …\r\n2024-05-22\r\nT1055 T1497 T1005\r\nSource: https://c-b.io/blog/dissecting_blankgrabber/\r\nhttps://c-b.io/blog/dissecting_blankgrabber/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://c-b.io/blog/dissecting_blankgrabber/"
	],
	"report_names": [
		"dissecting_blankgrabber"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/368a4b8daf1e0b5e902b18294a1c3e0955d13da4.pdf",
		"text": "https://archive.orkl.eu/368a4b8daf1e0b5e902b18294a1c3e0955d13da4.txt",
		"img": "https://archive.orkl.eu/368a4b8daf1e0b5e902b18294a1c3e0955d13da4.jpg"
	}
}