Threat Unpacked

THREAT UNPACKED

Operational Malware Analysis

  • Why This Blog Exists

    by

    splintersfury
    in

    Most malware analysis content focuses on what a sample does. This blog focuses on why it matters during an incident. Through case studies, technical deep dives, and operational reflections, I write about: Clarity matters, assumptions are dangerous, and systems fail in ways their designers rarely expect. The goal is not to teach malware analysis from…

  • Reversing a Microsoft-Signed Rootkit: The Netfilter Driver

    Reversing a Microsoft-Signed Rootkit: The Netfilter Driver

    by

    splintersfury
    in

    A detailed technical analysis of Netfilter.sys, a malicious kernel driver that was legitimately signed by Microsoft through attestation signing. This post explores how the rootkit harnesses the Windows Filtering Platform for stealthy IP redirection, the C2 communication mechanisms, and how Microsoft strengthened driver signing processes afterwards. Why I’m Picking Apart This Driver While digging into…