About me

Articles

2024

Thread Name-Calling - using Thread Name for offense

2023

Rhadamanthys v0.5.0 – a deep dive into the stealer’s components
From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats
Magniber ransomware analysis: Tiny Tracer in action

2022

JSSLoader: the shellcode edition [📰 PDF]
[co-author] HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine

2021

Malwarebytes CrackMe - contest summary (CrackMe 3)
The return of the Malwarebytes CrackMe (CrackMe 3)
AvosLocker enters the ransomware scene, asks for partners
Revisiting the NSIS-based crypter
A deep dive into Saint Bot, a new downloader [mirror]
[co-author] Cleaning up after Emotet: the law enforcement file

2020

Shining a light on “Silent Night” Zloader/Zbot [📰 PDF]
From a C project, through assembly, to shellcode [📰 PDF]
[co-author] Fake COVID-19 survey hides ransomware in Canadian university attack
[co-author] German users targeted with Gootkit banker or REvil ransomware

2019

[main author] New version of IcedID Trojan uses steganographic payloads
The Hidden Bee infection chain, part 1: the stegano pack
A deep dive into Phobos ransomware
Hidden Bee: Let’s go down the rabbit hole
“Funky malware format” found in Ocean Lotus sample
Analyzing a new stealer written in Golang

2018

What’s new in TrickBot? Deobfuscating elements
[co-author] Fake browser update seeks to compromise more MikroTik routers
Reversing malware in a custom format: Hidden Bee elements
Process Doppelgänging meets Process Hollowing in Osiris dropper
[co-author] ‘Hidden Bee’ miner delivered via improved drive-by download toolkit
[co-author] Magniber ransomware improves, expands within Asia
Malwarebytes CrackMe 2: contest summary
Malwarebytes CrackMe 2: try another challenge
PBot: a Python-based adware
Blast from the past: stowaway Virut delivered with Chinese DDoS bot
Avzhan DDoS bot dropped by Chinese drive-by attack
LockCrypt ransomware: weakness in code can lead to recovery
[co-author] Hermes ransomware distributed to South Koreans via recent Flash zero-day
A coin miner with a “Heaven’s Gate”

2017

Napoleon: a new version of Blind ransomware
How to solve the Malwarebytes CrackMe: a step-by-step tutorial
BadRabbit: a closer look at the new version of Petya/NotPetya
Magniber ransomware: exclusively for South Koreans
Inside the Kronos malware – part 2
Inside the Kronos malware – part 1
TrickBot comes up with new tricks: attacking Outlook and browsing data
Bye, bye Petya! Decryptor for old versions released.
Keeping up with the Petyas: Demystifying the malware family
The key to old Petya versions has been published by the malware author
EternalPetya – yet another stolen piece in the package?
EternalPetya and the lost Salsa20 key
LatentBot piece by piece
Elusive Moker Trojan is back
Diamond Fox – part 2: let’s dive in the code
Diamond Fox – part 1: introduction and unpacking
Explained: Sage ransomware
Explained: Spora ransomware
[co-author] New Neutrino Bot comes in a protective loader
Zbot with legitimate applications on board
From a fake wallet to a Java RAT
Post-holiday spam campaign delivers Neutrino Bot

2016

Goldeneye Ransomware – the Petya/Mischa combo rebranded
Simple userland rootkit – a case study
PrincessLocker – ransomware with not so royal encryption
Floki Bot and the stealthy dropper
Introducing TrickBot, Dyreza’s successor
Lesser known tricks of spoofing extensions
Unpacking the spyware disguised as antivirus
Shakti Trojan: Technical Analysis
Decrypting Chimera ransomware
Unpacking yet another .NET crypter
From Locky with love – reading malicious attachments
Third time (un)lucky – improved Petya is out
Untangling Kovter’s persistence methods
Satana ransomware – threat coming soon?
DMA Locker 4.0: Known ransomware preparing for a massive distribution
DMA Locker Strikes Back
DMA Locker: New Ransomware, But No Reason To Panic
Petya and Mischa – Ransomware Duet (Part 2)
Petya and Mischa – Ransomware Duet (Part 1)
7ev3n ransomware turning ‘HONE$T’
Rokku Ransomware shows possible link with Chimera
Recovery from Petya ransomware
Petya – Taking Ransomware To The Low Level
Maktub Locker – Beautiful And Dangerous
Cerber ransomware: new, but mature
Look Into Locky Ransomware
LeChiffre, Ransomware Ran Manually
Ransom32 – look at the malicious package

2015

Inside Chimera Ransomware – the first ‘doxingware’ in wild
Malware Crypters – the Deceptive First Layer
No money, but Pony! From a mail to a trojan horse
A Technical Look At Dyreza
Unpacking Fraudulent “Fax”: Dyreza Malware from Spam
Rainbows, Steganography and Malware in a new .NET cryptor
[co-author] Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets
Revisiting The Bunitu Trojan
[co-author] Elusive HanJuan EK Drops New Tinba Version
[co-author] Unusual Exploit Kit Targets Chinese Users (Part 2)