latest in reverse engineering

DragonForce: Deep Reverse Engineering of the Ransomware Behind M&S and Co-op UK

Full technical analysis of DragonForce's Windows x86 encryptor: MinGW C++ with Salsa20 multi-mode encryption, BYOVD kernel driver EDR bypass (rentdrv2.sys + truesight.sys), WMI shadow copy deletion, Restart Manager file handle killing, IOCP network scanning, and COM-based scheduled task persistence.

ransomware · 2026-07-07 · 20 min

#Ransomware#Reverse-Engineering#DragonForce

.text

reverse engineering

6 writeups
It Only Decrypts on the Victim: DPAPI Host-Locking in a ShadowPad .dat

VirusTotal called it PlugX. It broke down into an RC4 layer I could crack offline, a ScatterBrain-flavoured shellcode stub, and then a wall: the real implant is sealed with machine-scoped DPAPI, so it only decrypts on the one victim it was built for. Here's everything up to that wall, why the wall is the whole point, and why I think this is closer to ShadowPad than PlugX.

ShadowPad · 2026-06-30 · 11 min

#ShadowPad#PlugX#DPAPI

Reversing a Microsoft-Signed Rootkit: The Netfilter Driver

A detailed technical analysis of Netfilter.sys, a malicious kernel driver that was legitimately signed by Microsoft through attestation signing. This post explores how the rootkit harnesses the Windows Filtering Platform for stealthy IP redirection, the C2 communication mechanism

rootkit · 2025-10-07 · 15 min

.idata

threat intelligence

11 writeups
WealthGAF and ASYNCBOTNET: A Fake Forex CRM Brand Built to Deliver a Four-Stage Python RAT

A 2,253-byte ZIP posing as API documentation for a fake forex CRM delivers a four-stage chain: LNK trojan with conhost --headless hiding, a compiled AutoIt downloader, a PNG/ZIP polyglot Python bundle, and a previously undocumented Socket.IO RAT named ASYNCBOTNET that monitors 14 crypto wallets and 12 exchanges. A single TLS certificate ties WealthGAF to a 13-brand fake forex platform cluster, all sharing the same Kubernetes C2 origin.

RAT · 2026-07-04 · 19 min

#asyncbotnet#wealthgaf#autoit

Root in Eight Weeks: Reconstructing a Chinese Operator's Kill Chain Through Brazil's Federal District Government Network

File timestamps preserved inside a 9.1GB archive found on a Chinese threat actor's staging server let us reconstruct a complete intrusion: WordPress web shell to DirtyPipe container escape, socat tunnelling, fscan credential spray across 164 government machines, and 754MB of internal GitLab source code — all in eight weeks.

C2-infra · 2026-07-02 · 13 min

#kill-chain#mitre-attack#brazil

Ice Scorpion on Alibaba: A Chinese Operator's Singapore Staging Server, 164 Compromised Brazilian Government Machines, and a 933MB Fake GPU Driver

A Shodan hit on an Alibaba Cloud Singapore IP leads to a 9.1GB archive that turns out to be an attacker's working directory from inside a compromised Brazilian government server — containing a DirtyPipe exploit, fscan lateral movement results across the GDF internal network, 164 confirmed credential compromises, and 754MB of exfiltrated GitLab source code.

rootkit · 2026-07-02 · 13 min

#behinder#bingxie#ice-scorpion

One Tweet, Sixteen Servers: Pivoting the Chopi RAT Vishing Operation

A WsgiDAV opendir gave me staging payloads and a leaked debug log. AES config RE confirmed all six C2 IPs and the full encrypted capability set. PE build timestamp forensics revealed two back-to-back build sessions; the operator's dropper cluster leaked their build-system path on VirusTotal. Neo4j graph of 70 nodes across 3 cloud providers. YARA rules included.

RAT · 2026-06-30 · 32 min

#Threat-Intel#RAT#Vishing

.rdata

tooling & vuln research

3 writeups
Building a Scalable Windows Driver Vulnerability Analyzer (Part 2)

In [Part 1], I built a pipeline to churn through gigabytes of drivers. I started with a massive raw dataset of 58.5 GB of drivers. However, feeding this volume into a static analyzer is inefficient. I aggressively filtered the set: This left me with a curated dataset of 28,000 un

rootkit · 2026-02-04 · 7 min

Building a Scalable Windows Driver Vulnerability Analyzer (Part 1)

Background As I spent more time looking at kernel drivers, that interest gradually grew. Finding my first CVE in a Windows driver pushed me to pay closer attention to this area. Around the same time, I started reading more practical write-ups on driver work, including a post by e

rootkit · 2026-01-21 · 6 min

.data

field notes

1 writeup
Why This Blog Exists

Most malware analysis content focuses on what a sample does. This blog focuses on why it matters during an incident. Through case studies, technical deep dives, and operational reflections, I write about: Clarity matters, assumptions are dangerous, and systems fail in ways their

writeup · 2026-01-07 · 1 min