Operational malware analysis — deep dives into incidents, implants, and intrusion sets.https://threatunpacked.com/https://threatunpacked.com/2026/03/12/building-a-scalable-windows-driver-vulnerability-analyzer-part-3-from-one-driver-to-1775/https://threatunpacked.com/2026/03/12/building-a-scalable-windows-driver-vulnerability-analyzer-part-3-from-one-driver-to-1775/In Part 1, I built a pipeline to ingest and classify tens of gigabytes of Windows drivers. In Part 2, I ran it at scale and found the initial results underwhelming. IOCTLance found bugs, but understanding what those bugs meant required more context than symbolic execution alone cThu, 12 Mar 2026 05:13:44 GMThttps://threatunpacked.com/2026/02/04/building-a-scalable-windows-driver-vulnerability-analyzer-part-2/https://threatunpacked.com/2026/02/04/building-a-scalable-windows-driver-vulnerability-analyzer-part-2/In [Part 1], I built a pipeline to churn through gigabytes of drivers. I started with a massive raw dataset of 58.5 GB of drivers. However, feeding this volume into a static analyzer is inefficient. I aggressively filtered the set: This left me with a curated dataset of 28,000 unWed, 04 Feb 2026 04:13:27 GMThttps://threatunpacked.com/2026/01/21/building-a-scalable-windows-driver-vulnerability-analyzer-part-1/https://threatunpacked.com/2026/01/21/building-a-scalable-windows-driver-vulnerability-analyzer-part-1/Background As I spent more time looking at kernel drivers, that interest gradually grew. Finding my first CVE in a Windows driver pushed me to pay closer attention to this area. Around the same time, I started reading more practical write-ups on driver work, including a post by eWed, 21 Jan 2026 01:03:59 GMThttps://threatunpacked.com/2026/01/07/why-this-blog-exists/https://threatunpacked.com/2026/01/07/why-this-blog-exists/Most malware analysis content focuses on what a sample does. This blog focuses on why it matters during an incident. Through case studies, technical deep dives, and operational reflections, I write about: Clarity matters, assumptions are dangerous, and systems fail in ways their Wed, 07 Jan 2026 22:31:00 GMThttps://threatunpacked.com/2025/10/07/reversing-a-microsoft-signed-rootkit-the-netfilter-driver/https://threatunpacked.com/2025/10/07/reversing-a-microsoft-signed-rootkit-the-netfilter-driver/A detailed technical analysis of Netfilter.sys, a malicious kernel driver that was legitimately signed by Microsoft through attestation signing. This post explores how the rootkit harnesses the Windows Filtering Platform for stealthy IP redirection, the C2 communication mechanismTue, 07 Oct 2025 08:14:24 GMT