#malwareanalysis — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #malwareanalysis, aggregated by home.social.
-
🚀 OhMyPCAP 4.0.0 is HERE!
The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.
New in v4.0:
• Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
• Exiftool + rich file metadata analysis — get more file information even if there are no YARA matchesAll the power you love is still here:
Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).Ideal for malware analysis, incident response, threat hunting, forensics & teaching.
Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)
#PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis
-
🚀 OhMyPCAP 4.0.0 is HERE!
The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.
New in v4.0:
• Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
• Exiftool + rich file metadata analysis — get more file information even if there are no YARA matchesAll the power you love is still here:
Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).Ideal for malware analysis, incident response, threat hunting, forensics & teaching.
Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)
#PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis
-
🚀 OhMyPCAP 4.0.0 is HERE!
The ultimate FOSS PCAP analyzer just got a massive upgrade for deeper file intelligence.
New in v4.0:
• Upgraded to YARA Forge Full ruleset — more comprehensive malware & threat detection
• Exiftool + rich file metadata analysis — get more file information even if there are no YARA matchesAll the power you love is still here:
Suricata alerts, file alerts, Sankey diagrams, full-text search, ASCII transcripts, hexdumps, stream carving + single Docker/Podman container (perfect for air-gapped or quick spins).Ideal for malware analysis, incident response, threat hunting, forensics & teaching.
Who’s pulling this version right now? Drop a ❤️+ reply with your main use case (malware samples? CTFs? real-world incidents? teaching?)
#PCAP #DFIR #Cybersecurity #Infosec #BlueTeam #ThreatHunting #Suricata #YARA #MalwareAnalysis
-
732 octets. C'est tout ce qu'il a fallu pour escalader jusqu'à root via une erreur de copie mémoire. Parfois les vulnérabilités les plus élégantes sont aussi les plus minuscules — un détail oublié, une hypothèse incorrecte, et soudain le chemin est grand ouvert. La surface d'attaque se cache vraiment partout. 🔬 #infosec #MalwareAnalysis #exploit
https://malware.news/t/hunting-copy-fail-732-bytes-to-root/106616 -
Un "Guest Diary" sur le danger de Libredtail — un outil qui, selon l'analyse, peut glisser vers des usages malveillants selon la configuration. 🧐
C'est fascinant comme certains outils vivent dans un espace ambigu : légitimes dans un contexte, problématiques dans un autre. La frontière est souvent dans l'intention... et dans les logs. 📋
#infosec #MalwareAnalysis #BlueTeam
https://malware.news/t/danger-of-libredtail-guest-diary-wed-apr-29th/106534 -
We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!
Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!
Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
https://training.defcon.org/pages/2026-middle-east-call-for-trainers#DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis
-
We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!
Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!
Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
https://training.defcon.org/pages/2026-middle-east-call-for-trainers#DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis
-
We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!
Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!
Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
https://training.defcon.org/pages/2026-middle-east-call-for-trainers#DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis
-
We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!
Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!
Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
https://training.defcon.org/pages/2026-middle-east-call-for-trainers#DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis
-
We're excited to announce that the Call for Trainers is now OPEN for DEF CON Training Middle East!
Are you passionate about cybersecurity, hacking, and hands-on learning? Do you have expertise in emerging threats, defensive strategies, or cutting-edge security techniques? We want to hear from you!
Visit training.defcon.org to submit your trainer application for a two-day or three-day course by May 9, 2026.
https://training.defcon.org/pages/2026-middle-east-call-for-trainers#DEFCON #DEFCONTraining #Cybersecurity #Training #Hacking #InfoSec #SecurityCommunity #DEFCONMiddleEast #AI #RedTeam #BlueTeam #DigitalForensics #CyberTalent #MalwareAnalysis
-
🧠 Agent Tesla Daily Report
⬇️ Trend: declining (28%)
📊 17 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-21 -
🧠 Formbook Daily Report
⬇️ Trend: declining (40%)
📊 8 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-19 -
🧠 Formbook Daily Report
⬇️ Trend: declining (40%)
📊 8 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-19 -
🧠 Formbook Daily Report
⬇️ Trend: declining (30%)
📊 9 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-18 -
🧠 Vidar Daily Report
⬆️ Trend: rising (47%)
📊 16 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-18 -
🧠 Vidar Daily Report
⬆️ Trend: rising (47%)
📊 16 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-18 -
🧠 Vidar Daily Report
⬆️ Trend: rising (75%)
📊 16 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-17 -
🧠 Formbook Daily Report
⬆️ Trend: rising (161%)
📊 28 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-16 -
🧠 Formbook Daily Report
⬆️ Trend: rising (229%)
📊 24 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-15 -
🧠 Formbook Daily Report
⬆️ Trend: rising (229%)
📊 24 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-15 -
----------------
🛠️ Tool
===================Opening: Malhaus is a self‑hosted malware static triage platform that aggregates outputs from established static analysis tools and interprets them via user‑selected LLMs to produce a structured triage report. The project targets analysts who need fast, explainable static assessments without relying on behavioral execution.
Key Features:
• Aggregates outputs from radare2, YARA, strings, objdump, oletools, floss, binwalk, exiftool and optional Ghidra headless decompilation for PE/ELF.
• Supports multiple LLM backends including Gemini, OpenAI, Azure AI Foundry, Claude, DeepSeek and OpenAI‑compatible servers (Ollama, vLLM, LM Studio).
• Produces a structured verdict with a confidence score, key reasoning points and full raw tool outputs.
• Exposes a REST API with bearer token authentication and per‑key rate limiting; includes an MCP server allowing AI agents to call analyze natively.
• Implements mathematical visualizations: entropy profile, compression curves, a 256×256 bigram matrix and an experimental byte‑trigram point cloud clustered with HDBSCAN.
• Caches results by SHA‑256 to make re‑submissions instant.Technical Implementation:
• Pipeline design ingests the uploaded file, runs a configurable suite of static analyzers, computes byte‑sequence visualizations, and passes aggregated evidence to an LLM prompt template that returns a JSON‑structured verdict.
• Visualization outputs (entropy, compression ratios, bigram heatmap, PCA‑reduced trigram point cloud) are treated as evidence rather than classifiers; the LLM synthesizes these signals into human‑readable conclusions.
• Security controls include captcha‑protected web UI and tokenized API access; caching minimizes repeated heavy analysis.Use Cases:
• Rapid triage of suspicious samples to determine priority for dynamic analysis.
• Augmenting human analysts with LLM‑summarized rationale and full tool outputs for auditability.
• Bulk triage workflows where SHA‑256 caching reduces redundant processing.Limitations:
• The byte‑trigram visualization is experimental and not a validated classifier.
• LLM outputs are dependent on prompt design and model choice; false positives/negatives remain possible.
• Static triage cannot replace behavioral analysis for runtime behaviors, C2 activity or evasive techniques.🔹 tool #malhaus #malwareanalysis #LLM #entropy
🔗 Source: https://github.com/toorandom/malhaus?tab=readme-ov-file
-
🧠 Formbook Daily Report
⬆️ Trend: rising (69%)
📊 13 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-14 -
🧠 Formbook Daily Report
⬆️ Trend: rising (69%)
📊 13 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-14 -
🧠 QuasarRAT Daily Report
➡️ Trend: stable (4%)
📊 4 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/quasar-rat/reports/2026-04-13 -
🧠 QuasarRAT Daily Report
➡️ Trend: stable (4%)
📊 4 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/quasar-rat/reports/2026-04-13 -
🧠 AsyncRAT Daily Report
⬇️ Trend: declining (36%)
📊 4 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-12 -
🧠 AsyncRAT Daily Report
⬇️ Trend: declining (36%)
📊 4 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-12 -
🧠 AsyncRAT Daily Report
➡️ Trend: stable (2%)
📊 6 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-11 -
🧠 AsyncRAT Daily Report
➡️ Trend: stable (2%)
📊 6 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-11 -
🧠 AsyncRAT Daily Report
⬆️ Trend: rising (289%)
📊 15 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-10 -
🧠 AsyncRAT Daily Report
⬆️ Trend: rising (289%)
📊 15 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-10 -
🧠 Agent Tesla Daily Report
⬇️ Trend: declining (21%)
📊 9 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-08 -
🧠 Agent Tesla Daily Report
⬇️ Trend: declining (21%)
📊 9 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-08 -
🧠 Formbook Daily Report
➡️ Trend: stable (9%)
📊 8 new samples
🌐 55 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/formbook/reports/2026-04-07 -
CW: Full toolkit (3 samples + scripts + YARA):(no download needed)
https://archive.org/details/500ms-supply-chain-verification-toolkit
The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.You can verify this on your own Windows 11 machine without downloading
anything from me:Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"
Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3
The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).🔍 500ms — Supply chain anomalies in Windows 11 default binaries
JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modificationVerify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics
-
CW: Full toolkit (3 samples + scripts + YARA):(no download needed)
https://archive.org/details/500ms-supply-chain-verification-toolkit
The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.You can verify this on your own Windows 11 machine without downloading
anything from me:Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"
Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3
The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).🔍 500ms — Supply chain anomalies in Windows 11 default binaries
JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modificationVerify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics
-
CW: Full toolkit (3 samples + scripts + YARA):(no download needed)
https://archive.org/details/500ms-supply-chain-verification-toolkit
The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.You can verify this on your own Windows 11 machine without downloading
anything from me:Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"
Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3
The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).🔍 500ms — Supply chain anomalies in Windows 11 default binaries
JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modificationVerify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics
-
CW: Full toolkit (3 samples + scripts + YARA):(no download needed)
https://archive.org/details/500ms-supply-chain-verification-toolkit
The name references Andres Freund's 500ms SSH delay that uncovered the
XZ backdoor.The core finding: JsonSchema.Net.dll shipped in Microsoft's
DesktopAppInstaller has a SHA256 that doesn't match any official NuGet
release. It has a PE timestamp of year 2095. And it's signed by
Microsoft's HSM.You can verify this on your own Windows 11 machine without downloading
anything from me:Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\ConfigurationRemotingServer\JsonSchema.Net.dll"
Compare with NuGet official: https://www.nuget.org/packages/JsonSchema.Net/7.2.3
The toolkit also includes anomalies in Google's cloudcode_cli (104K
internal refs) and Intel's IGCCTray (GCP data exfil in a graphics driver).🔍 500ms — Supply chain anomalies in Windows 11 default binaries
JsonSchema.Net.dll in Microsoft DesktopAppInstaller:
→ Hash ≠ any official NuGet release
→ PE timestamp: year 2095
→ Signed by Microsoft HSM post-modificationVerify on YOUR OWN Windows 11 (no download needed):
Get-FileHash "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*\...\JsonSchema.Net.dll"
Compare: nuget.org/packages/JsonSchema.Net/7.2.3#infosec #supplychainattack #malwareanalysis #microsoft #cybersecurity #threatintel #windows11 #forensics
-
🧠 AsyncRAT Daily Report
⬇️ Trend: declining (62%)
📊 3 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/async-rat/reports/2026-04-06 -
----------------
🎯 Threat Intelligence
===================Executive summary: A 2.7 MB x86_64 ELF sample (MD5: f1403192ad7a762c235d670e13b703c3) with near-maximum entropy was flagged as APT41-linked Winnti. Analysis shows a custom code virtualizer, three typosquat C2 domains resolving to 43.99.48.196 (Alibaba Cloud, Singapore), and a capability to harvest cloud instance metadata across major providers. The implant uses SMTP (port 25) as a covert command channel and refuses connections that do not present the expected implant handshake.
Technical details / IoCs:
• MD5: f1403192ad7a762c235d670e13b703c3
• C2 domains: ai.qianxing.co, ns1.a1iyun.top, ai.aliyuncs.help
• C2 IP: 43.99.48.196 (Alibaba Cloud, SG)
• Observed C2 ports: 25 (SMTP), 443, 8088 (server only responds to valid handshake)
• Notable infrastructure: a1iyun.top has a Let's Encrypt wildcard cert from Aug 2023Analysis:
The binary's high entropy and inline transformations indicate a custom code virtualizer or instruction-level obfuscation that defeats standard static analysis. Intezer and other vendors link code reuse across six years of Winnti lineage (PWNLNX, RedXOR, AzazelFork, SprySOCKS, Melofee), indicating continued evolution rather than a one-off commodity trojan. The typosquatting strategy targets human triage processes: domains visually mimic Alibaba-related hostnames (a1iyun vs aliyun) and use ai. subdomains to exploit contemporary expectations of AI-related traffic.
The implant's use of the link-local cloud metadata endpoint (169.254.169.254) is operationally significant: it can retrieve temporary credentials, instance identity documents, managed identity tokens, and service account tokens from AWS, GCP, Azure, and Alibaba Cloud, enabling potential lateral movement and account takeover when permissions permit.
Detection considerations:
Observed artifacts suitable for detection include DNS queries for the listed typosquat domains, network connections to 43.99.48.196 that exhibit SMTP protocol exchanges without standard mail service responses, and processes attempting access to http://169.254.169.254 from unexpected workloads. The C2's refusal to respond to scans means detection should focus on endpoint telemetry and DNS/log analysis rather than relying on internet-wide scanning results.
Limitations & open questions:
Public analysis is constrained by heavy obfuscation; static indicators inside the binary are limited. The exact command encoding used over SMTP and the full set of post-exploitation modules were not fully disclosed in the source report.
🔹 APT41 #Winnti #cloud #malwareanalysis
-
🧠 QuasarRAT Daily Report
⬇️ Trend: declining (46%)
📊 5 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/quasar-rat/reports/2026-04-04 -
🧠 Agent Tesla Daily Report
⬇️ Trend: declining (54%)
📊 10 new samples
🌐 0 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/agent-tesla/reports/2026-04-04 -
🧠 Vidar Daily Report
⬇️ Trend: declining (39%)
📊 19 new samples
🌐 100 C2 serversFull analysis, IOCs, and hashes:
https://www.yazoul.net/malware/vidar/reports/2026-04-03 -
Tried to book a bar. Ended up reverse engineering a malware campaign instead.
A fake "Cloudflare verify" page copied an obfuscated PowerShell loader to my clipboard. So I broke it down:
XOR-obfuscated script
Payload delivery
RedCap infostealer analysis
REMnux, Ghidra & Hybrid AnalysisAlso watched the infrastructure get taken down mid-write-up.
First time doing any RE
https://blog.michaelrbparker.com/post/17
(Still haven't booked that drink.)
-
Tried to book a bar. Ended up reverse engineering a malware campaign instead.
A fake "Cloudflare verify" page copied an obfuscated PowerShell loader to my clipboard. So I broke it down:
XOR-obfuscated script
Payload delivery
RedCap infostealer analysis
REMnux, Ghidra & Hybrid AnalysisAlso watched the infrastructure get taken down mid-write-up.
First time doing any RE
https://blog.michaelrbparker.com/post/17
(Still haven't booked that drink.)
-
Tried to book a bar. Ended up reverse engineering a malware campaign instead.
A fake "Cloudflare verify" page copied an obfuscated PowerShell loader to my clipboard. So I broke it down:
XOR-obfuscated script
Payload delivery
RedCap infostealer analysis
REMnux, Ghidra & Hybrid AnalysisAlso watched the infrastructure get taken down mid-write-up.
First time doing any RE
https://blog.michaelrbparker.com/post/17
(Still haven't booked that drink.)
-
🚀 Just released smali-lsp!
A Language Server for Smali with:
• Goto definition
• Cross-references
• Symbols & hover
• Works with any IDE (minimal setup)Also includes an MCP server → plug into AI agents for faster APK analysis 🤖
🔗 https://github.com/Surendrajat/smali-lsp
#AndroidDev #ReverseEngineering #MalwareAnalysis #LSP #InfoSec #RE #security #dalvik
-
🚀 Just released smali-lsp!
A Language Server for Smali with:
• Goto definition
• Cross-references
• Symbols & hover
• Works with any IDE (minimal setup)Also includes an MCP server → plug into AI agents for faster APK analysis 🤖
🔗 https://github.com/Surendrajat/smali-lsp
#AndroidDev #ReverseEngineering #MalwareAnalysis #LSP #InfoSec #RE #security #dalvik
-
🚀 Just released smali-lsp!
A Language Server for Smali with:
• Goto definition
• Cross-references
• Symbols & hover
• Works with any IDE (minimal setup)Also includes an MCP server → plug into AI agents for faster APK analysis 🤖
🔗 https://github.com/Surendrajat/smali-lsp
#AndroidDev #ReverseEngineering #MalwareAnalysis #LSP #InfoSec #RE #security #dalvik
