<feed xmlns="http://www.w3.org/2005/Atom"> <id>https://brhopkins.uk/</id><title>brhopkins</title><subtitle>A blog written by Ben Hopkins: Malware and Threat Specialist at zeroShadow. Covers malware reverse engineering, threat hunting, and other cybersecurity research.</subtitle> <updated>2026-07-09T11:46:32+00:00</updated> <author> <name>Ben Hopkins</name> <uri>https://brhopkins.uk/</uri> </author><link rel="self" type="application/atom+xml" href="https://brhopkins.uk/feed.xml"/><link rel="alternate" type="text/html" hreflang="en" href="https://brhopkins.uk/"/> <generator uri="https://jekyllrb.com/" version="4.4.1">Jekyll</generator> <rights> © 2026 Ben Hopkins </rights> <icon>/assets/img/favicons/favicon.ico</icon> <logo>/assets/img/favicons/favicon-96x96.png</logo> <entry><title>Return of the Phemedrone Stealer - Part Two</title><link href="https://brhopkins.uk/posts/phenedrome-part-2/" rel="alternate" type="text/html" title="Return of the Phemedrone Stealer - Part Two" /><published>2025-07-13T00:00:00+00:00</published> <updated>2025-07-13T00:00:00+00:00</updated> <id>https://brhopkins.uk/posts/phenedrome-part-2/</id> <content type="text/html" src="https://brhopkins.uk/posts/phenedrome-part-2/" /> <author> <name>Ben Hopkins</name> </author> <category term="Malware" /> <category term="Loader" /> <category term="Stealer" /> <category term="DotNet" /> <summary>Overview In the last blog, I covered a campaign that was being conducted by a cybercriminal using the Phenedrome stealer, which hasn’t been seen in a while. In the last blog, I covered the fake AnyDesk website stood up by the threat actor, and how that was used to socially engineer a victim into downloaded a loader for Phenedrome. If you want to read that blog first, feel free to go to the lin...</summary> </entry> <entry><title>Return of the Phemedrone Stealer - Part One</title><link href="https://brhopkins.uk/posts/phenedrome-part-1/" rel="alternate" type="text/html" title="Return of the Phemedrone Stealer - Part One" /><published>2025-06-20T00:00:00+00:00</published> <updated>2025-06-20T00:00:00+00:00</updated> <id>https://brhopkins.uk/posts/phenedrome-part-1/</id> <content type="text/html" src="https://brhopkins.uk/posts/phenedrome-part-1/" /> <author> <name>Ben Hopkins</name> </author> <category term="Malware" /> <category term="Loader" /> <category term="Stealer" /> <category term="DotNet" /> <summary>Overview A few days ago, I was scrolling X (formally Twitter) where I follow other people in the cyber community, and came across a post about a threat actor impersonating the AnyDesk website to socially engineer victims into downloading malware. AnyDesk is a remote mangement and monitoring (RMM) tool that has platform-independant remote access solutions that IT support can use to service user...</summary> </entry> <entry><title>Async RAT - Analysis</title><link href="https://brhopkins.uk/posts/async-rat/" rel="alternate" type="text/html" title="Async RAT - Analysis" /><published>2025-02-15T00:00:00+00:00</published> <updated>2025-02-15T00:00:00+00:00</updated> <id>https://brhopkins.uk/posts/async-rat/</id> <content type="text/html" src="https://brhopkins.uk/posts/async-rat/" /> <author> <name>Ben Hopkins</name> </author> <category term="Malware" /> <category term="RATs" /> <summary>Overview AsyncRAT is a remote access trojan (RAT) built to remotely monitor and control other computers through a secure, encrypted connection. The name “AsyncRAT” comes from its core functionality—’async’ means it performs its operations asynchronously, which means it is capable of executing several tasks simultaneously. AsyncRAT has been observed as being bought, sold, and deployed for years...</summary> </entry> <entry><title>Payload Placement</title><link href="https://brhopkins.uk/posts/payload-placement/" rel="alternate" type="text/html" title="Payload Placement" /><published>2024-11-15T00:00:00+00:00</published> <updated>2024-11-15T00:00:00+00:00</updated> <id>https://brhopkins.uk/posts/payload-placement/</id> <content type="text/html" src="https://brhopkins.uk/posts/payload-placement/" /> <author> <name>Ben Hopkins</name> </author> <category term="Malware Development" /> <summary>In malware development, payload placement refers to where and how the malicious code (the payload) is embedded or hidden within a system to execute harmful functions without detection. Use cases for this technique could involve creating a benign-seeming executable or DLL and having it execute and load it’s resorces into memory, with the resource being the payload. In this blog, I’ll cover payl...</summary> </entry> <entry><title>JavaScript Deobfuscation - A Primer</title><link href="https://brhopkins.uk/posts/js-deob/" rel="alternate" type="text/html" title="JavaScript Deobfuscation - A Primer" /><published>2024-10-30T00:00:00+00:00</published> <updated>2024-10-30T00:00:00+00:00</updated> <id>https://brhopkins.uk/posts/js-deob/</id> <content type="text/html" src="https://brhopkins.uk/posts/js-deob/" /> <author> <name>Ben Hopkins</name> </author> <category term="Malware" /> <category term="JavaScript" /> <summary>With JavaScript being a popular programming language used in many web technologies, it often gets used by threat actors as initial stage payloads. Such scripts could have Powershell code embedded in them, further malware stagers, or functions for downloading malware from an attacker’s C2 server. Because JavaScript is a high-level language, it’s human-readable and logically easy to understand, s...</summary> </entry> </feed>
