Homepage
PDF reports of independent malware analysis — companion to my research blog.
Update History
- SSDT Hooking A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes)
- Static Analysis of Turla’s Uroboros Revealing Core Tactics and Technical Mindset
- The Evolution of APT36’s Crimson RAT Tracking Variants and Feature Expansion Over the Years
- Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan A Deep Dive with x32dbg Debugging
- Uroboros Revisited Tracing PatchGuard-Evasive Techniques Beyond SSDT Hooking
- XWorm Unmasked Weaponizing Script Obfuscation and Modern Evasion Techniques
- Analysis of Equation Group’s nls_933w.dll Revealing Core Tactics and Technical Mindset
- Deobfuscating APT28’s HTA Trojan A Deep Dive into VBE Techniques & Multi-Layer Obfuscation
- From SSDT to IDT - A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes)
- Mirai botnet among different instruction sets: x86, ARM, PPC, and MIPS with static analysis
- APT42 phishing campaigns and malicious code like soldiers hiding deep in the jungle
- FunkSec Ransomware and Rust Reverse Analysis
- Mirai: An IoT DDoS Botnet How To Protect and Disguise Itself As Aggressive Attacker Analysis
- Botnet continue to exploit vulnerabilities and FICORA botnet analysis
- Botnet continue to exploit vulnerabilities and CAPSAICIN botnet analysis
- BotenaGo Malware Targets Multiple Routers with 30+ Exploit Functions and Go Reversing Analysis
- CoinMiner embedded lots of vulnerabilities to exploit
- Hive ransomware command-line parameters analysis
- Unveiling Gelsemium’s (毒狼草) Linux backdoor WolfsBane
- APT32 poisoning GitHub to target Chinese cybersecurity professionals and malware analysis
- APT44’s ASPX web shell leverages obfuscation techniques and firewall rule manipulation to evade detection
- APT Silver Fox is using a stock investment decoy and undocumented Windows API functions to evade detection
- The ransom group d0glun, is it hidden threat or just for fun?
- GreenSpot APT phishing campaigns with fake 163.com login analysis
- The North Korean nation-state APT43 Kimsuky used the PowerShell forceCopy to conduct spear-phishing analysis
- Rapperbot how to improve and expand its ability based on an early version static analysis
- Rapperbot static analysis for ARM architecture, the other variants to do a DDoS attack on Chinese AI startup DeepSeek
- HailBot analysis, the other variants to do a DDoS attack on Chinese AI startup DeepSeek
- The Art of Evasion: How Attackers Use VBScript and PowerShell in the Obfuscation Game
- The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions
- Unmasking the Threat: Understanding Sophisticated Trojan-Dropper Mechanisms
- AsyncRAT in Action: UAC-0173’s Latest Advanced Antivirus Detection & Evasion Techniques
- Akira Ransomware Expands to Linux: the attacking abilities and strategies
- The New Face of PowerShell: Ransomware Powered by PowerShell-Based Attacks
- Design Intent Exposed: Path Deception in nls_933w
- Regin: Static Analysis of Its Lightweight VFS Abstraction Layer
- Revisiting SubVirt & Blue Pill: From Attacker Proof-of-Concepts to Defensive Foundations
- PE-bear: The Art of Intuitive Malware Analysis
- Revisiting LoJax: The First UEFI Rootkit Found in the Wild
- Revisiting LoJax: Supplementary Analysis and Research Notes
- Revisiting MoonBounce: Research Notes
All content is provided strictly for educational and defensive purposes.
Seeker(李标明) · @clibm079
China · Independent Malware Analyst & Researcher