Malware

In a time full of ransomware as well as Advanced persistent Thread (APT) incidents the importance of detecting those attacking groups has become increasingly...

EDR / AV Evasion

Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.

Crypter, binder & downloader with native & .NET stub, evasive by design, user friendly UI - GitHub - bytecode77/pe-union: Crypter, binder & downloader with native & ...

Design & Implementation of a crypter in any language, using Xencrypt (Powershell) as an underlying example.

a PE Loader and Windows API tracer. Useful in malware analysis. - GitHub - enkomio/thematrix: a PE Loader and Windows API tracer. Useful in malware analysis.

Introduction System calls are the ultimate high-level atomic actions that Malware writers might control. System calls sequences are the defacto ultimate way to divide behaviors between good and bad…

A Pin Tool for tracing API calls etc. Contribute to hasherezade/tiny_tracer development by creating an account on GitHub.

The automatic detection and classification of any given file in a reliable manner is often considered the holy grail of malware analysis. This blog will dive into DotDumper’s usage and internals.

An automatic unpacker and logger for DotNet Framework targeting files - GitHub - advanced-threat-research/DotDumper: An automatic unpacker and logger for DotNet Framework targeting files

A new document royal road v7 installs a backdoor in .NET. a first executable is dropped \os03C2.tmp. This exe has many similarities with…

HelloKitty lacks the stealth of Ryuk, REvil and Conti, but has still struck some notable targets, including CEMIGO. Ransomware overview and IoCs here.

This blog details how Iron Tiger threat actors have updated their toolkit with an updated SysUpdate malware variant that now uses five files in its infection routine instead of the usual three.

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April.

In a highly targeted operation by a Chinese APT, a newly discovered backdoor dubbed PortDoor is being used in attacks targeting a Russian defense contractor...

Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP.

In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor.

OrBit is a new Linux malware that hijacks the execution flow, evading and gaining persistence to get remote access and steal information.

Learn how the Falcon Complete Team detected the SolarMarker Backdoor using the Falcon UI, our deobfuscation process, and how we collaborated with our Intel team.

In late February, while tracking a malicious spam campaign from the Qakbot distributor “TR,” Binary Defense’s analysts identified a new version of IcedID being delivered through malicious Word and Excel files. The updated IcedID has a new first stage loading mechanism, which we’ve dubbed “gziploader,” along with new encryption algorithms for hiding its configuration and […]

In this blog, we cover all things GuLoader – a new malware family – including its main shellcode, anti-analysis techniques and final payload delivery mechanism.

Obfuscate specific windows apis with different apis - GitHub - d35ha/CallObfuscator: Obfuscate specific windows apis with different apis

Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]