0xD3lta Research

0xD3lta ResearchOffensive and defensive cybersecurity research — Red Team techniques, malware analysis, threat hunting, and more.https://0xdelta.org/enTechnical Analysis: UpCrypter Loader Delivering XWorm V5.6 RAT Targeting Brazilian Usershttps://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/xworm-ucrypter-rat/https://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/xworm-ucrypter-rat/Full chain analysis of a multi-stage campaign delivering XWorm V5.6 via a .NET loader (UpCrypter) disguised as a NF-e lure, with complete static, dynamic, and config extraction.Fri, 24 Apr 2026 00:00:00 GMTBlue TeamMalware Analysis & Reverse EngineeringXWormRATUpCrypterDotNetMalware AnalysisThreat HuntingBrazil0x_OLYMPUSTheGentlemen Ransomware: Threat Overview and Analysishttps://0xdelta.org/blog/blue-team/cyber-threat-intelligence/thegentlemen-ransomware-overview/https://0xdelta.org/blog/blue-team/cyber-threat-intelligence/thegentlemen-ransomware-overview/Technical overview of TheGentlemen ransomware group, covering its operational model, TTPs, initial access vectors, and defensive considerations.Tue, 07 Apr 2026 00:00:00 GMTBlue TeamCyber Threat IntelligenceRansomwareThreat IntelligenceCybersecurityTTPsBlue TeamMalwareANKHCORPCritical 10.0: Full BI Infrastructure Compromise via Default Credentialshttps://0xdelta.org/blog/red-team/web-security/critical-microstrategy-default-creds/https://0xdelta.org/blog/red-team/web-security/critical-microstrategy-default-creds/A detailed write-up on how factory-default credentials on a MicroStrategy administrative panel led to a complete takeover of corporate Business Intelligence assets.Wed, 28 Jan 2026 00:00:00 GMTRed TeamWeb SecurityBug BountyBroken AuthenticationMicroStrategyCriticalAdministrative AccessSERROS404Cyrillic Phishing: When a Domain Looks Legit — but Isn’thttps://0xdelta.org/blog/red-team/offensive-techniques/cyrillic-phishing-homograph-attack/https://0xdelta.org/blog/red-team/offensive-techniques/cyrillic-phishing-homograph-attack/An in-depth look at how threat actors abuse Unicode characters in IDN homograph attacks to achieve initial access through phishing.Tue, 13 Jan 2026 00:00:00 GMTRed TeamOffensive TechniquesRed TeamInitial AccessPhishingHomograph AttackSocial EngineeringIDN AbuseANKHCORPTechnical Analysis: XWorm v5.6 JavaScript Dropper → Fileless Loader Chainhttps://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/xwormrat/https://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/xwormrat/multi-stage malware infection chain delivering XWorm RAT v5.6 using a JavaScript dropper masquerading as a PDF documentFri, 09 Jan 2026 00:00:00 GMTBlue TeamMalware Analysis & Reverse EngineeringWormDotNetRATMalware AnalysisReverse Engineering0x_OLYMPUSFOSS as a Security Primitive: Why Open Source Is Structurally Superior for Privacy, Integrity, and Trusthttps://0xdelta.org/blog/blue-team/privacy-compliance-officer/foss/https://0xdelta.org/blog/blue-team/privacy-compliance-officer/foss/A technical analysis of FOSS as a foundational security control, examining verifiability, attack surface reduction, community auditing, and data sovereignty in contrast to the trust-based failures of proprietary software.Thu, 08 Jan 2026 00:00:00 GMTBlue TeamPrivacy Compliance OfficerFOSSOpen SourcePrivacySecurity EngineeringThreat ModelingTrust ModelSPECIEUNKN0WN_Threat Actor Profile: Midia22https://0xdelta.org/blog/blue-team/threat-hunting/midia22/https://0xdelta.org/blog/blue-team/threat-hunting/midia22/A investigation of Midia22, a Brazilian Initial Access Broker operating across government systems and Telegram cybercrime channels.Tue, 06 Jan 2026 00:00:00 GMTBlue TeamThreat HuntingThreat ActorInitial Access BrokerThreat GroupOSINTCybercrimeVAMPIR3BLUESTechnical Analysis: EvilSoul1337 Stealer-as-a-Servicehttps://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/evilsoul1337/https://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/evilsoul1337/Dissecting a Node.js-based Stealer-as-a-Service (SaaS) platform utilizing Electron, Discord Webhooks, and WebSocket C2s targeting gamers.Sun, 04 Jan 2026 00:00:00 GMTBlue TeamMalware Analysis & Reverse EngineeringStealerNodeJSElectronDiscordMalware AnalysisSaaS0x_OLYMPUSAbusing WhatsApp Desktop for Initial Access: Python ZipApp Reverse Shellhttps://0xdelta.org/blog/red-team/offensive-techniques/whatsapp-pyz-reverseshell/https://0xdelta.org/blog/red-team/offensive-techniques/whatsapp-pyz-reverseshell/A technical analysis of how .pyz files can be used to bypass protections and establish a Reverse Shell via WhatsApp Desktop.Fri, 26 Dec 2025 00:00:00 GMTRed TeamOffensive TechniquesRed TeamInitial AccessPythonEvasionSocial EngineeringSERROS404Active Phishing & PIX Fraud Operation Impersonating Brazilian DETRANhttps://0xdelta.org/blog/blue-team/threat-hunting/detranpixfraud/https://0xdelta.org/blog/blue-team/threat-hunting/detranpixfraud/Impersonation of Brazilian DETRAN (Department of Motor Vehicles).Sun, 21 Dec 2025 00:00:00 GMTBlue TeamThreat HuntingPhishingFraudPixFinancial FraudData Exposure0x_OLYMPUSTechnical Analysis: CS2 Fake Cheat Ransomwarehttps://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/cs2-ransomware/https://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/cs2-ransomware/A deep dive into a .NET ransomware distributed as a Counter-Strike 2 'Mod Menu' targeting Brazilian gamers.Wed, 26 Nov 2025 00:00:00 GMTBlue TeamMalware Analysis & Reverse EngineeringRansomwareDotNetCS2Malware AnalysisReverse Engineering0x_OLYMPUSTechnical Analysis: WhatsApp Web Automation Wormhttps://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/whatsapp-automation-worm/https://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/whatsapp-automation-worm/Investigation of a Python-based stage that hijacks browser sessions to automate mass malware dissemination via WhatsApp Web.Wed, 19 Nov 2025 00:00:00 GMTBlue TeamMalware Analysis & Reverse EngineeringWhatsAppWormSeleniumSession HijackingPythonC20x_OLYMPUSMalware Campaign: LNK + MSBuild abuse targeting Brazilhttps://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/lnk-msbuild-campaign/https://0xdelta.org/blog/blue-team/malware-analysis-reverse-engineering/lnk-msbuild-campaign/Analysis of a campaign distributing malware via .LNK files disguised as DANFE/CFDI invoices, abusing MSBuild to execute fileless payloads.Sun, 24 Aug 2025 00:00:00 GMTBlue TeamMalware Analysis & Reverse EngineeringLNKMSBuildFilelessRubeusLOLBINGhostBuild0x_OLYMPUSCybersecurity Essentials: Understanding Risks & Defense Stackhttps://0xdelta.org/blog/blue-team/detection-engineering/cybersecurity-essentials/https://0xdelta.org/blog/blue-team/detection-engineering/cybersecurity-essentials/A comprehensive guide on modern cyber risks, APTs, and the essential toolset for defensive operations—from Vulnerability Management to IAM.Thu, 01 May 2025 00:00:00 GMTBlue TeamDetection EngineeringBlue TeamHardeningToolsIAMNetwork SecuritySPECIEUNKN0WN_Investigation: Critical IDOR in PIX Payment Gatewayhttps://0xdelta.org/blog/blue-team/cyber-threat-intelligence/pix-gateway-idor/https://0xdelta.org/blog/blue-team/cyber-threat-intelligence/pix-gateway-idor/Analysis of a mass phishing campaign mimicking the Postal Service that revealed a massive IDOR in a payment processor, exposing PII and enabling fraud.Thu, 24 Apr 2025 00:00:00 GMTBlue TeamCyber Threat IntelligenceIDORFraudPIXBurpSuiteData LeakPhishing0x_OLYMPUS